Signal K Server Vulnerable to Remote Code Execution via Malicious npm Package

Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the appstore interface allow administrators to install npm packages through a REST API endpoint. While the endpoint validates that the package name exists in the npm registry as a known plugin or webapp, the version parameter accepts arbitrary npm version specifiers including URLs. npm supports installing packages from git repositories, GitHub shorthand syntax, and HTTP/HTTPS URLs pointing to tarballs. When npm installs a package, it can automatically execute any `postinstall` script defined in `package.json`, enabling arbitrary code execution. The vulnerability exists because npm's version specifier syntax is extremely flexible, and the SignalK code passes the version parameter directly to npm without sanitization. An attacker with admin access can install a package from an attacker-controlled source containing a malicious `postinstall` script. Version 2.19.0 contains a patch for the issue.

N/A

对生成代码的控制不恰当(代码注入)

Signal K Server 代码注入漏洞

Signal K Server是Signal K开源的一个船用中央服务器。 Signal K Server 2.19.0之前版本存在代码注入漏洞，该漏洞源于appstore接口将版本参数直接传递给npm而未进行清理，可能导致任意代码执行。

N/A

N/A