Miggo Logo

CVE-2021-28162: Command Injection in @theia/messages

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.39297%
Published
5/10/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
@theia/messagesnpm< 1.0.01.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from insecure markdown rendering in notification messages. The patch shows:

  1. Removal of a local markdown-it instance with HTML enabled (html: true)
  2. Replacement with a dedicated NotificationContentRenderer that disables HTML
  3. Added HTML escaping tests in notification-content-renderer.spec.ts

The original vulnerable code path flowed through NotificationManager's renderMessage method which directly processed user-controlled input without proper escaping. This function would appear in stack traces when processing malicious notification content, as it was responsible for rendering the dangerous output before mitigation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In **lips* T**i* v*rsions up to *n* in*lu*in* *.**.*, in t** noti*i**tion m*ss***s t**r* is no *TML *s**pin*, so J*v*s*ript *o** **n run.

Reasoning

T** vuln*r**ility st*mm** *rom ins**ur* m*rk*own r*n**rin* in noti*i**tion m*ss***s. T** p*t** s*ows: *. R*mov*l o* * lo**l m*rk*own-it inst*n** wit* *TML *n**l** (*tml: tru*) *. R*pl***m*nt wit* * ***i**t** Noti*i**tion*ont*ntR*n**r*r t**t *is**l*s