GHSA-mxjr-xmcg-fg7w – mobile-icon-resizer

Package

Manager: npm
Name: mobile-icon-resizer
Vulnerable Version: >=0.2.0 <0.4.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Arbitrary Code Injection in mobile-icon-resizer mobile-icon-resizer resizes large images for use as icons for iOS and Android. mobile-icon-resizer has a code execution vulnerability in versions before 0.4.3. mobile-icon-resizer takes an options object as an argument to define the resulting icons as such: ``` var options = { config: './config.js' } resize(options, function(err){}); ``` config.js would need to be a file on the filesystem and look something like: ``` var config = { iOS: { "images": [ /* iOS image definitions are not vulnerable */ ] }, android: { "images" : [ { "baseRatio" : "console.log('Executing script as baseRatio property')", "folder" : "drawable-ldpi" }, { "ratio" : "console.log('Executing script as ratio property')", "folder" : "drawable-mdpi" }, /* other android image defintiions ... */ ] } }; exports = module.exports = config; ``` The parameters `ratio` and `baseRatio` are passed directly to `eval()`, thus allowing dynamic javascript payloads to be executed. ## Recommendation Update to version 0.4.3 or later.

Metadata

Created: 2019-06-27T17:25:21Z
Modified: 2021-08-17T15:41:58Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-mxjr-xmcg-fg7w/GHSA-mxjr-xmcg-fg7w.json
CWE IDs: ["CWE-94"]
Alternative ID: N/A
Finding: F422
Auto approve: 1