Miggo Logo

CVE-2021-26275: Command injection in eslint-fixer

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.89951%
Published
4/13/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
eslint-fixernpm<= 0.1.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly states command injection occurs via the fix function. The npm package documentation shows fix() executes eslint --fix with user-supplied file paths. Without proper input sanitization or using secure child_process methods (like execFile), passing untrusted input to this function would allow command injection via shell metacharacters. The function's direct involvement in executing shell commands with user input makes it clearly vulnerable.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *slint-*ix*r p**k*** t*rou** *.*.* *or No**.js *llows *omm*n* inj**tion vi* s**ll m*t****r**t*rs to t** *ix *un*tion. NOT*: T*is vuln*r**ility only *****ts pro*u*ts t**t *r* no lon**r support** *y t** m*int*in*r. T** ozum/*slint-*ix*r *it*u* r*po

Reasoning

T** vuln*r**ility **s*ription *xpli*itly st*t*s *omm*n* inj**tion o**urs vi* t** *ix *un*tion. T** npm p**k*** *o*um*nt*tion s*ows *ix() *x**ut*s *slint --*ix wit* us*r-suppli** *il* p*t*s. Wit*out prop*r input s*nitiz*tion or usin* s**ur* **il*_pro*