Severity: critical

Arbitrary Code Injection



mobile-icon-resizer resizes large images for use as icons for iOS and Android.

mobile-icon-resizer has a code execution vulnerability in versions before 0.4.3.

mobile-icon-resizer takes an options object as an argument to define the resulting icons as such:

var options = {
  config: './config.js'
resize(options, function(err){});

config.js would need to be a file on the filesystem and look something like:

var config = {
  iOS: {
    "images": [
     /* iOS image definitions are not vulnerable */
  android: {
    "images" : [
        "baseRatio" : "console.log('Executing script as baseRatio property')",
        "folder" : "drawable-ldpi"
        "ratio" : "console.log('Executing script as ratio property')",
        "folder" : "drawable-mdpi"
    /* other android image defintiions ... */

exports = module.exports = config;

The parameters ratio and baseRatio are passed directly to eval(), thus allowing dynamic javascript payloads to be executed.


Update to version 0.4.3 or later.


Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory published
    Jan 15th, 2018
  2. reported

    Initial report by Cristian-Alexandru Staicu
    Mar 7th, 2017