N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-4qqc-mp5f-ccv4

EPSS Score

CWE

CWE-77

Published

9/2/2020

Updated

1/9/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-4qqc-mp5f-ccv4

GHSA-4qqc-mp5f-ccv4: Command Injection in bestzip

Versions of bestzip prior to 2.1.7 are vulnerable to Command Injection. The package fails to sanitize input rules and passes it directly to an exec call on the zip function . This may allow attackers to execute arbitrary code in the system as long as the values of destination is user-controlled. This only affects users with a native zip command available. The following examples demonstrate the issue from the CLI and also programatically:

bestzip test.zip 'sourcefile; mkdir folder'
zip({ source: 'sourcefile', destination: './test.zip; mkdir folder' })

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-4qqc-mp5f-ccv4

EPSS Score

CWE

CWE-77

Published

9/2/2020

Updated

1/9/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
bestzip	npm	< 2.1.7	2.1.7

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the nativeZip function constructing a shell command by concatenating user-controlled 'destination' and 'source' parameters. The patch shows a transition from dangerous cp.exec (which spawns a shell) to safe cp.spawn (which avoids shell interpretation) with explicit argument arrays. The original function's command string construction (visible in the removed code in the patch) lacked any input sanitization, making it vulnerable to injection when user-controlled values contain shell metacharacters.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* `**stzip` prior to *.*.* *r* vuln*r**l* to *omm*n* Inj**tion. T** p**k*** **ils to s*nitiz* input rul*s *n* p*ss*s it *ir**tly to *n `*x**` **ll on t** `zip` *un*tion . T*is m*y *llow *tt**k*rs to *x**ut* *r*itr*ry *o** in t** syst*m *s l

Reasoning

T** vuln*r**ility st*ms *rom t** `n*tiv*Zip` *un*tion *onstru*tin* * s**ll *omm*n* *y *on**t*n*tin* us*r-*ontroll** '**stin*tion' *n* 'sour**' p*r*m*t*rs. T** p*t** s*ows * tr*nsition *rom **n**rous `*p.*x**` (w*i** sp*wns * s**ll) to s*** `*p.sp*wn`

N/A

Basic Information

Concerned about an active attack path?

GHSA-4qqc-mp5f-ccv4: Command Injection in bestzip

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI