Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW14anIteG1jZy1mZzd3
Arbitrary Code Injection in mobile-icon-resizer
mobile-icon-resizer resizes large images for use as icons for iOS and Android.
mobile-icon-resizer has a code execution vulnerability in versions before 0.4.3.
mobile-icon-resizer takes an options object as an argument to define the resulting icons as such:
var options = {
config: './config.js'
}
resize(options, function(err){});
config.js would need to be a file on the filesystem and look something like:
var config = {
iOS: {
"images": [
/* iOS image definitions are not vulnerable */
]
},
android: {
"images" : [
{
"baseRatio" : "console.log('Executing script as baseRatio property')",
"folder" : "drawable-ldpi"
},
{
"ratio" : "console.log('Executing script as ratio property')",
"folder" : "drawable-mdpi"
},
/* other android image defintiions ... */
]
}
};
exports = module.exports = config;
The parameters ratio
and baseRatio
are passed directly to eval()
, thus allowing dynamic javascript payloads to be executed.
Recommendation
Update to version 0.4.3 or later.
Permalink: https://github.com/advisories/GHSA-mxjr-xmcg-fg7wJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW14anIteG1jZy1mZzd3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 5 years ago
Updated: over 1 year ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Identifiers: GHSA-mxjr-xmcg-fg7w
References:
- https://github.com/muzzley/mobile-icon-resizer/issues/8
- https://github.com/muzzley/mobile-icon-resizer/commit/a6c50f884bd282d74ab77e1fce6317d5d0dd2f0f
- https://www.npmjs.com/advisories/317
- https://snyk.io/vuln/npm:mobile-icon-resizer:20160408
- https://github.com/advisories/GHSA-mxjr-xmcg-fg7w
Blast Radius: 3.1
Affected Packages
npm:mobile-icon-resizer
Dependent packages: 2Dependent repositories: 3
Downloads: 972 last month
Affected Version Ranges: >= 0.2.0, < 0.4.3
Fixed in: 0.4.3
All affected versions: 0.2.0, 0.2.1, 0.3.0, 0.4.0, 0.4.1, 0.4.2
All unaffected versions: 0.4.3, 1.0.0