Socket Firewall Arbitrary Code Execution Vulnerability in Untrusted Project Directories

A vulnerability allowing arbitrary code execution exists in Socket Firewall binary versions prior to 0.15.5, when the tool is run in untrusted project directories. The issue arises because Socket Firewall loads a configuration file named '.sfw.config' from the project directory and injects its contents as environment variables into the Node.js process. An attacker can exploit this by placing a malicious '.sfw.config' file in a directory and using Socket Firewall commands, such as 'sfw npm install'. This process can be used to execute harmful JavaScript code before Socket Firewall's security measures are applied, bypassing its package detection capabilities. The vulnerability requires a developer to manage dependencies in an untrusted project and to execute commands within that context.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the system where Socket Firewall is running.

Reproduction

To reproduce this vulnerability, first place a malicious '.sfw.config' file in an untrusted project directory. This file should include a 'NODE_OPTIONS' variable with a '--require' directive pointing to the malicious payload. Then, run Socket Firewall commands, such as 'sfw npm install', in that directory. The tool will load the configuration file, execute the injected JavaScript code, and bypass its security controls.

Remediation

Users should upgrade to Socket Firewall version 0.15.5 or later, which addresses the vulnerability by isolating configuration file values from subprocess environments. If Socket Firewall was manually installed, it is recommended to avoid running the tool in untrusted project directories and to inspect '.sfw.config' and '.env.local' files for suspicious environment variable definitions before using Socket Firewall in new projects.