GHSA-49mg-94fc-2fx6

Suggest an improvement
Source
https://github.com/advisories/GHSA-49mg-94fc-2fx6
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-49mg-94fc-2fx6/GHSA-49mg-94fc-2fx6.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-49mg-94fc-2fx6
Published
2020-09-04T17:32:49Z
Modified
2020-08-31T19:00:00Z
Summary
Command Injection in npm-git-publish
Details

All versions of npm-git-publish are vulnerable to Command Injection. The package fails to sanitize input and passes it directly to an execSync call, which may allow attackers to execute arbitrary code in the system. The publish function is vulnerable through the gitRemoteUrl variable.

Recommendation

No fix is currently available. Consider using an alternative package until a fix is made available.

Database specific 
{
    "cwe_ids": [
        "CWE-77"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T19:00:00Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
}
References

Affected packages

npm / npm-git-publish

Package

Name
npm-git-publish
View open source insights on deps.dev
Purl
pkg:npm/npm-git-publish

Affected ranges

Type
SEMVER
Events
Introduced
0.0.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-49mg-94fc-2fx6/GHSA-49mg-94fc-2fx6.json"