Hello!
I'm Goro, the primary maintainer of https://github.com/msgpack/msgpack-javascript (a.k.a. @msgpack/msgpack) right now.
Thanks for your vulnerability report. However, I'm not sure the code is really vulnerable. The following expression is part of your PoC:
(function () { require("child_process").exec("echo code_executed!", function (error, stdout, stderr) { console.log(stdout); }); })();
The anonymous function expression is called immediately, right? So the value of the expression is undefined
, since the function does not have a return
statement. So the object passed to msgpack.encode()
is { exploit: undefined }
. child_process.exec()
seems not related to the mspgack module.
What do you think?
Best Regards, Goro Fuji