Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTh3aHItdjNnbS13OGg5
Command Injection in node-rules
Versions of node-rules prior to 5.0.0 are vulnerable to Command Injection. The package fails to sanitize input rules and passes it directly to an eval call when using the fromJSON function. This may allow attackers to execute arbitrary code in the system if the rules are user-controlled.
Recommendation
Upgrade to version 5.0.0 or later.
Permalink: https://github.com/advisories/GHSA-8whr-v3gm-w8h9JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTh3aHItdjNnbS13OGg5
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 3 years ago
Updated: 7 months ago
CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L
Identifiers: GHSA-8whr-v3gm-w8h9
References:
- https://github.com/mithunsatheesh/node-rules/issues/84
- https://snyk.io/vuln/SNYK-JS-NODERULES-560426
- https://github.com/mithunsatheesh/node-rules/commit/100862223904bb6478fcc33b701c7dee11f7b832
- https://github.com/advisories/GHSA-8whr-v3gm-w8h9
Blast Radius: 13.4
Affected Packages
npm:node-rules
Dependent packages: 15Dependent repositories: 45
Downloads: 7,196 last month
Affected Version Ranges: < 5.0.0
Fixed in: 5.0.0
All affected versions: 0.1.0, 1.1.0, 1.1.1, 2.1.0, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.1.0, 3.2.0, 4.0.0, 4.0.1, 4.0.2
All unaffected versions: 5.0.0, 5.1.0, 5.2.0, 6.0.0, 6.1.0, 6.2.0, 6.3.0, 7.0.0, 7.1.0, 7.2.0, 8.0.0, 8.1.0, 9.0.0, 9.1.0, 9.1.1