CVE-2023-27848
Published: 24 April 2023
Summary
CVE-2023-27848 is a critical-severity Command Injection (CWE-77) vulnerability in Broccoli-Compass Project Broccoli-Compass. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 8.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-27848 is a remote code execution vulnerability affecting broccoli-compass version 0.2.4, an npm package that integrates the Compass CSS authoring framework with the Broccoli build tool. The flaw stems from unsafe use of the child_process function, corresponding to CWE-77 command injection, and carries a CVSS 3.1 base score of 9.8 reflecting network-accessible exploitation with no required privileges or user interaction.
An unauthenticated attacker can supply crafted input that reaches the vulnerable child_process invocation, resulting in arbitrary command execution on the host system. Successful exploitation grants full control over confidentiality, integrity, and availability of the affected process and any data it can access.
Public references consist of a detailed vulnerability report hosted on GitHub and the package listing on npm; neither source describes an available patch or official mitigation guidance. The associated EPSS score has remained flat at 0.0626 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-1412
Vulnerability details
broccoli-compass v0.2.4 was discovered to contain a remote code execution (RCE) vulnerability via the child_process function.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.