Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTI4eGgtd3Bnci03Zm04
Command Injection in open
Versions of open before 6.0.0 are vulnerable to command injection when unsanitized user input is passed in.
The package does come with the following warning in the readme:
The same care should be taken when calling open as if you were calling child_process.exec directly. If it is an executable it will run in a new shell.
Recommendation
open is now the deprecated opn package. Upgrading to the latest version is likely have unwanted effects since it now has a very different API but will prevent this vulnerability.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTI4eGgtd3Bnci03Zm04
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 5 years ago
Updated: almost 2 years ago
Identifiers: GHSA-28xh-wpgr-7fm8
References:
- https://github.com/pwnall/node-open/issues/68
- https://github.com/pwnall/node-open/issues/69
- https://hackerone.com/reports/319473
- https://www.npmjs.com/advisories/663
- https://github.com/advisories/GHSA-28xh-wpgr-7fm8
Blast Radius: 0.0
Affected Packages
npm:open
Dependent packages: 12,019Dependent repositories: 2,432,186
Downloads: 160,653,119 last month
Affected Version Ranges: < 6.0.0
Fixed in: 6.0.0
All affected versions: 0.0.0, 0.0.2, 0.0.3, 0.0.4, 0.0.5
All unaffected versions: 6.0.0, 6.1.0, 6.2.0, 6.3.0, 6.4.0, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.1.0, 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.4.0, 7.4.1, 7.4.2, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.1.0, 8.2.0, 8.2.1, 8.3.0, 8.4.0, 8.4.1, 8.4.2, 9.0.0, 9.1.0, 10.0.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4, 10.1.0