Miggo Logo
Miggo Vulnerability Database
CVE-2023-49210

CVE-2023-49210: openssl npm package vulnerable to command execution

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-49210
GHSA ID
GHSA-75w2-qv55-x7fv
EPSS Score
0.69425%
CWE
CWE-77
Published
11/23/2023
Updated
11/30/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
opensslnpm<= 2.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the openssl function in index.js which unsafely concatenates user-provided 'verb' parameter into an exec command. The code sample shows direct interpolation of opts.verb into the command string without validation or sanitization. This allows attackers to inject commands via shell operators (e.g., '| touch exploited.txt'). The advisory explicitly identifies the verb field as the injection vector, and the proof-of-concept demonstrates successful exploitation through this parameter. The use of child_process.exec with unvalidated input is a well-known command injection pattern (CWE-77).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** op*nssl (*k* no**-op*nssl) NPM p**k*** t*rou** *.*.* w*s ***r**t*riz** *s "* nons*ns* wr*pp*r wit* no r**l purpos*" *y its *ut*or, *n* ****pts *n opts *r*um*nt t**t *ont*ins * v*r* *i*l* (us** *or *omm*n* *x**ution). NOT*: T*is vuln*r**ility only

Reasoning

T** vuln*r**ility st*ms *rom t** `op*nssl` *un*tion in `in**x.js` w*i** uns***ly *on**t*n*t*s us*r-provi*** 'v*r*' p*r*m*t*r into *n *x** *omm*n*. T** *o** s*mpl* s*ows *ir**t int*rpol*tion o* `opts.v*r*` into t** *omm*n* strin* wit*out v*li**tion or