Cyber Resilience

CVE-2023-27848

CriticalPublic PoCRCE

Published: 24 April 2023

Published
24 April 2023
Modified
05 February 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0626 91.1th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-27848 is a critical-severity Command Injection (CWE-77) vulnerability in Broccoli-Compass Project Broccoli-Compass. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 8.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2023-27848 is a remote code execution vulnerability affecting broccoli-compass version 0.2.4, an npm package that integrates the Compass CSS authoring framework with the Broccoli build tool. The flaw stems from unsafe use of the child_process function, corresponding to CWE-77 command injection, and carries a CVSS 3.1 base score of 9.8 reflecting network-accessible exploitation with no required privileges or user interaction.

An unauthenticated attacker can supply crafted input that reaches the vulnerable child_process invocation, resulting in arbitrary command execution on the host system. Successful exploitation grants full control over confidentiality, integrity, and availability of the affected process and any data it can access.

Public references consist of a detailed vulnerability report hosted on GitHub and the package listing on npm; neither source describes an available patch or official mitigation guidance. The associated EPSS score has remained flat at 0.0626 with no material increase since disclosure.

EU & UK References

Vulnerability details

broccoli-compass v0.2.4 was discovered to contain a remote code execution (RCE) vulnerability via the child_process function.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

broccoli-compass project
broccoli-compass
0.2.4

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References