CVE-2022-43441: 
JavaScript vulnerability analysis and mitigation

A code execution vulnerability (CVE-2022-43441) was discovered in Ghost Foundation's node-sqlite3 version 5.1.1, specifically affecting the Statement Bindings functionality. The vulnerability was discovered by Dave McDaniel of Cisco Talos and publicly disclosed on March 16, 2023. The vulnerability affects node-sqlite3 versions from 5.0.0 up to (excluding) 5.1.5, which provides asynchronous, non-blocking SQLite3 bindings for Node.js within Ghost CMS (Talos Report, NVD).

The vulnerability exists in the Statement Bindings functionality where a specially-crafted Javascript file can lead to arbitrary code execution. The issue occurs when SQL query parameters are bound to a statement, and those parameters are processed through a loop within the Statement::Bind() function. The vulnerability stems from the toString() operation on received objects, which calls napi_coerce_to_string(). This implementation can potentially execute JavaScript code if the passed-in value is an object. The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) from NVD and 8.1 (HIGH) from Talos (Talos Report, GitHub Advisory).

When exploited, this vulnerability can lead to arbitrary code execution in applications using the vulnerable node-sqlite3 module. In the specific case of Ghost CMS, due to JSON format restrictions, the vulnerability manifests as a remote denial of service attack that crashes the entire Node.js service that Ghost CMS is running on (Talos Report).

The vulnerability has been patched in node-sqlite3 version 5.1.5. All users are recommended to upgrade to version 5.1.5 or later. As a workaround, users should ensure sufficient sanitization in the parent application to protect against invalid values being supplied to binding parameters (GitHub Advisory).