GHSA-426h-24vj-qwxf

Suggest an improvement
Source
https://github.com/advisories/GHSA-426h-24vj-qwxf
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-426h-24vj-qwxf/GHSA-426h-24vj-qwxf.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-426h-24vj-qwxf
Aliases
Published
2020-04-23T20:09:09Z
Modified
2026-03-13T22:11:35.047943Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Command Injection in npm-programmatic
Details

All versions of npm-programmatic are vulnerable to Command Injection. The package fails to sanitize input rules and passes it directly to an exec call on the install, uninstall and list functions . This may allow attackers to execute arbitrary code in the system if the package name passed to the function is user-controlled.

Recommendation

No fix is currently available. Consider using an alternative package until a fix is made available.

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2020-04-23T20:02:33Z",
    "cwe_ids": [
        "CWE-20",
        "CWE-78"
    ],
    "severity": "CRITICAL",
    "nvd_published_at": "2020-04-07T14:15:00Z"
}
References

Affected packages

npm / npm-programmatic

Package

Name
npm-programmatic
View open source insights on deps.dev
Purl
pkg:npm/npm-programmatic

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.0.12

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-426h-24vj-qwxf/GHSA-426h-24vj-qwxf.json"