CVE-2022-0144 Overview
CVE-2022-0144 is an Improper Privilege Management vulnerability affecting shelljs, a popular Unix shell commands implementation for Node.js. The vulnerability exists in the exec() function which creates temporary files with insecure permissions, potentially allowing unauthorized users to read sensitive command output or interfere with file operations.
Critical Impact
Local attackers with low privileges can exploit insecure file permissions to access sensitive data written to stdout/stderr files or manipulate execution flow by pre-creating locked files.
Affected Products
- shelljs_project shelljs (Node.js package)
Discovery Timeline
- 2022-01-11 - CVE CVE-2022-0144 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-0144
Vulnerability Analysis
The vulnerability stems from insecure file permission handling in shelljs's synchronous exec() function. When executing commands, shelljs creates temporary files to capture stdout and stderr output. Prior to the security fix, these files were created with default permissions that allowed other users on the system to read their contents.
The attack requires local access with low privileges. Successful exploitation can lead to unauthorized disclosure of sensitive information (confidentiality impact) and denial of service conditions (availability impact) when an attacker pre-creates the target files with restricted permissions.
Root Cause
The root cause is the use of fs.writeFileSync() without specifying restrictive file permissions. The function wrote to paramsFile, stdoutFile, and stderrFile using default system umask settings, which typically allow read access to other users. This violates the principle of least privilege for temporary files that may contain sensitive command output.
The vulnerability is classified under CWE-269 (Improper Privilege Management), as the application fails to properly restrict access to resources that should be protected.
Attack Vector
An attacker with local access to the system can exploit this vulnerability through two primary methods:
Information Disclosure: Monitor or read the stdout/stderr files created by shelljs to capture sensitive command output from other users' processes.
Denial of Service: Read the paramsFile to determine the paths of stdout/stderr files, then pre-create these files with restrictive permissions. This causes the exec() function to crash when it attempts to write to files it cannot access.
The security patch addresses this by implementing a writeFileLockedDown() helper function:
stderrFile: stderrFile,
};
- fs.writeFileSync(paramsFile, JSON.stringify(paramsToSerialize), 'utf8');
+ // Create the files and ensure these are locked down (for read and write) to
+ // the current user. The main concerns here are:
+ //
+ // * If we execute a command which prints sensitive output, then
+ // stdoutFile/stderrFile must not be readable by other users.
+ // * paramsFile must not be readable by other users, or else they can read it
+ // to figure out the path for stdoutFile/stderrFile and create these first
+ // (locked down to their own access), which will crash exec() when it tries
+ // to write to the files.
+ function writeFileLockedDown(filePath, data) {
+ fs.writeFileSync(filePath, data, {
+ encoding: 'utf8',
+ mode: parseInt('600', 8),
+ });
+ }
+ writeFileLockedDown(stdoutFile, '');
+ writeFileLockedDown(stderrFile, '');
+ writeFileLockedDown(paramsFile, JSON.stringify(paramsToSerialize));
var execArgs = [
path.join(__dirname, 'exec-child.js'),
Source: GitHub Commit
Detection Methods for CVE-2022-0144
Indicators of Compromise
- Unusual file access patterns to temporary directories where shelljs creates execution files
- Multiple read attempts on files matching shelljs temporary file naming patterns
- Unexpected process crashes in Node.js applications using shelljs exec() function
- Evidence of file permission manipulation in application log files
Detection Strategies
- Audit Node.js application dependencies using npm audit or similar tools to identify vulnerable shelljs versions
- Monitor file system events for temporary files created with overly permissive modes (not 0600)
- Implement software composition analysis (SCA) scanning in CI/CD pipelines to detect vulnerable packages
- Use runtime application self-protection (RASP) to monitor for suspicious file operations
Monitoring Recommendations
- Enable file integrity monitoring on directories commonly used for temporary files
- Configure alerts for applications using shelljs package versions prior to the security patch
- Monitor for unusual cross-user file access patterns on multi-user systems
- Implement dependency scanning as part of regular security assessments
How to Mitigate CVE-2022-0144
Immediate Actions Required
- Update shelljs to the patched version that includes commit d919d22dd6de385edaa9d90313075a77f74b338c
- Run npm audit fix to automatically update vulnerable dependencies
- Review applications using shelljs exec() for potential sensitive data exposure
- Audit multi-user systems where shelljs applications may have been running
Patch Information
The vulnerability was fixed in the shelljs project through commit d919d22dd6de385edaa9d90313075a77f74b338c. The patch introduces a writeFileLockedDown() helper function that creates all temporary files with mode 0600 (owner read/write only), ensuring that stdout, stderr, and parameter files are protected from access by other users.
For additional details, see the Huntr Bounty Report and the GitHub Commit Update.
Workarounds
- Avoid using shelljs exec() function in synchronous mode on multi-user systems until patched
- Implement strict file system permissions on temporary directories used by Node.js applications
- Consider using the asynchronous exec() mode which may have different behavior
- Isolate affected applications in containers or sandboxed environments to limit local access
# Update shelljs to patched version
npm update shelljs
# Verify installed version contains the fix
npm list shelljs
# Run security audit
npm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
