Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXdwN20tbXJ2Zi01OTlj
Command Injection in node-df
All versions of node-df are vulnerable to Command Injection. The package fails to sanitize filenames passed to the file option. If this value is user-controlled it may allow attackers to run arbitrary commands in the server.
Recommendation
No fix is currently available. Consider using an alternative package until a fix is made available.
Permalink: https://github.com/advisories/GHSA-wp7m-mrvf-599cJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXdwN20tbXJ2Zi01OTlj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 4 years ago
Updated: over 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-wp7m-mrvf-599c, CVE-2019-15597
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-15597
- https://hackerone.com/reports/703412
- https://www.npmjs.com/advisories/1431
- https://github.com/advisories/GHSA-wp7m-mrvf-599c
Affected Packages
npm:node-df
Dependent packages: 24Dependent repositories: 90
Downloads: 22,128 last month
Affected Version Ranges: <= 0.1.4
No known fixed version
All affected versions: 0.1.0, 0.1.1, 0.1.4