Command Injection Vulnerability in easywebpack-cli Prior to 4.8.1 #31
Description
Summary
A command injection vulnerability in the getWebpackBuilder function of the easywebpack-cli package allows attackers to execute arbitrary operating system commands. This vulnerability arises from insufficient sanitization of user-provided input, enabling attackers to inject malicious payloads containing shell metacharacters. Systems using versions prior to 4.8.1 are at risk, potentially leading to arbitrary code execution during Webpack configuration processing.
Details
The easywebpack-cli package, designed to streamline Webpack configuration and boilerplate initialization, contains a critical flaw in its getWebpackBuilder function. The function fails to properly sanitize input strings, allowing attackers to inject arbitrary shell commands by leveraging unescaped metacharacters (e.g., ||, ;, &). When user-controlled input is processed without strict validation, the vulnerability can be exploited to manipulate the command-building logic, leading to unintended command execution in the application's runtime environment.
This issue affects versions prior to 4.8.1.
Impact
This vulnerability (CWE-78: Improper Neutralization of Special Elements used in an OS Command) poses a critical risk to applications using easywebpack-cli versions before 4.8.1. Attackers can exploit it to execute arbitrary commands on the host system, potentially leading to data breaches, service disruption, or full system compromise. The severity is amplified when user input is directly processed without proper validation or escaping mechanisms. Maintainers and users of affected versions should prioritize updating to the latest release to eliminate this exposure.
Affected Versions: easywebpack-cli < 4.8.1
Reference: GitHub Repository#