Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTQyNmgtMjR2ai1xd3hm
Command Injection in npm-programmatic
All versions of npm-programmatic are vulnerable to Command Injection. The package fails to sanitize input rules and passes it directly to an exec call on the install, uninstall and list functions . This may allow attackers to execute arbitrary code in the system if the package name passed to the function is user-controlled.
Recommendation
No fix is currently available. Consider using an alternative package until a fix is made available.
Permalink: https://github.com/advisories/GHSA-426h-24vj-qwxfJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTQyNmgtMjR2ai1xd3hm
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 4 years ago
Updated: over 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-426h-24vj-qwxf, CVE-2020-7614
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-7614
- https://github.com/Manak/npm-programmatic/blob/master/index.js#L18
- https://snyk.io/vuln/SNYK-JS-NPMPROGRAMMATIC-564115
- https://www.npmjs.com/advisories/1507
- https://github.com/advisories/GHSA-426h-24vj-qwxf
Blast Radius: 29.9
Affected Packages
npm:npm-programmatic
Dependent packages: 103Dependent repositories: 1,127
Downloads: 6,938 last month
Affected Version Ranges: <= 0.0.12
No known fixed version
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.0.9, 0.0.10, 0.0.11, 0.0.12