npm

Severity: critical

Arbitrary Code Injection

mobile-icon-resizer

Overview

mobile-icon-resizer resizes large images for use as icons for iOS and Android.

mobile-icon-resizer has a code execution vulnerability in versions before 0.4.3.

mobile-icon-resizer takes an options object as an argument to define the resulting icons as such:

var options = {
  config: './config.js'
}
resize(options, function(err){});

config.js would need to be a file on the filesystem and look something like:

var config = {
  iOS: {
    "images": [
     /* iOS image definitions are not vulnerable */
    ]
  },
  android: {
    "images" : [
      {
        "baseRatio" : "console.log('Executing script as baseRatio property')",
        "folder" : "drawable-ldpi"
      },
      {
        "ratio" : "console.log('Executing script as ratio property')",
        "folder" : "drawable-mdpi"
      },
    /* other android image defintiions ... */
    ]
  }
};

exports = module.exports = config;

The parameters ratio and baseRatio are passed directly to eval(), thus allowing dynamic javascript payloads to be executed.

Remediation

Update to version 0.4.3 or later.

Resources

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory published
    Jan 15th, 2018
  2. reported

    Initial report by Cristian-Alexandru Staicu
    Mar 7th, 2017