Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTRxcWMtbXA1Zi1jY3Y0
Command Injection in bestzip
Versions of bestzip
prior to 2.1.7 are vulnerable to Command Injection. The package fails to sanitize input rules and passes it directly to an exec
call on the zip
function . This may allow attackers to execute arbitrary code in the system as long as the values of destination
is user-controlled. This only affects users with a native zip
command available. The following examples demonstrate the issue from the CLI and also programatically:
bestzip test.zip 'sourcefile; mkdir folder'
zip({ source: 'sourcefile', destination: './test.zip; mkdir folder' })
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTRxcWMtbXA1Zi1jY3Y0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 3 years ago
Updated: over 1 year ago
Identifiers: GHSA-4qqc-mp5f-ccv4
References: Blast Radius: 0.0
Affected Packages
npm:bestzip
Dependent packages: 209Dependent repositories: 3,407
Downloads: 1,182,428 last month
Affected Version Ranges: < 2.1.7
Fixed in: 2.1.7
All affected versions: 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 2.0.0, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6
All unaffected versions: 2.1.7, 2.2.0, 2.2.1