CVE-2013-7377

Description

When the ffprobe functionality is enabled on the server, HTTP POST requests can be made to /probe. These requests are passed to the ffprobe binary on the server. Through this HTTP endpoint it is possible to send a malformed source file name to ffprobe that results in arbitrary command execution. ### Mitigating Factors: The ffprobe functionality is not enabled by default. In addition, exploitation opportunities are limited in a standard configuration because the server binds to the local interface by default. ## Recommendation An updated and patched version of the module (version 0.5.0) is available via npm. Users who have enabled the ffprobe functionality are especially encouraged to upgrade..

How to fix CVE-2013-7377

To remediate CVE-2013-7377, upgrade the affected package to a fixed version below.

• —upgrade to 0.5.0 or later

Is CVE-2013-7377 being exploited?

Low — EPSS is 1.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 0.5.0

CVSS scores

References (5)

• ADVISORYgithub.com/advisories/GHSA-rph7-j9qr-h8q8
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-7377
• WEBwww.npmjs.com/advisories/2
• WEBwww.openwall.com/lists/oss-security/2014/05/13/1
• WEB