Command Injection Vulnerability in `nei` Package Prior to Version 3.8.0

[shaobaobaoer]

Summary

A critical command injection vulnerability exists in the nei package for Node.js (versions prior to 3.8.0), allowing attackers to execute arbitrary operating system commands via unsanitized input in the openBrowser function. This flaw exposes applications to unauthorized system-level actions, compromising server security.

Details

The vulnerability arises from improper sanitization of user-provided input within the openBrowser function in the nei/lib/server/util module. The function directly concatenates unsanitized input into command-line operations without validation or escaping, enabling attackers to inject shell metacharacters (e.g., ;, &, |). This allows execution of arbitrary commands on the server hosting the application. The issue affects all versions of the nei package before 3.8.0. ### Impact This is a CWE-78: Improper Sanitization of Special Elements vulnerability, categorized as a command injection risk. Users running applications dependent on nei@<3.8.0 are impacted. An attacker could exploit this to perform unauthorized actions on the server, such as modifying files, exfiltrating data, or disrupting services, leading to full system compromise. Immediate upgrade to version 3.8.0 or later is recommended. For further details, visit the NEI Toolkit GitHub repository.