Remote code execution due to use of very old and deprecated version of fsevents library


Version: <= 1.2.10
Vulnerabilty: Exposure of Resource to Wrong Sphere 
CVE: N/A

Description of the vulnerability:

There is a insecure and deprecated version of "fsevents" Node.js library. This can allowed an attacker to execute arbitrary code on hosts belonging to this repo. Older versions of "fsevents" Node.js library are vulnerable to code injection because they download additional binaries from dynamically generated URLs. I discovered that versions up to 1.x.x of fsevents library download binaries from a S3 bucket URL https://fsevents-binaries.s3-us-west-2.amazonaws.com but the bucket fsevents-binaries did not exist. This can made it possible for an attacker to claim this S3 bucket and upload arbitrary code in there. Because this bucket had expired an if a attacker take this addres he/she can upload malicious binary and this will end up with getting remote access on the endpoint which use this insecure and deprecated version of fsevents Node.js library.

References

https://www.npmjs.com/package/fsevents/v/1.0.0
https://www.npmjs.com/package/fsevents/v/1.2.2
https://www.npmjs.com/package/fsevents/v/1.2.9
https://security.snyk.io/vuln/SNYK-JS-FSEVENTS-5487987