Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?

Hello!

I'm Goro, the primary maintainer of https://github.com/msgpack/msgpack-javascript (a.k.a. @msgpack/msgpack) right now.

Thanks for your vulnerability report. However, I'm not sure the code is really vulnerable. The following expression is part of your PoC:

(function () { require("child_process").exec("echo code_executed!", function (error, stdout, stderr) { console.log(stdout); }); })();

The anonymous function expression is called immediately, right? So the value of the expression is undefined, since the function does not have a return statement. So the object passed to msgpack.encode() is { exploit: undefined }. child_process.exec() seems not related to the mspgack module.

What do you think?


Best Regards, Goro Fuji

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment