GHSA-8whr-v3gm-w8h9

Suggest an improvement
Source
https://github.com/advisories/GHSA-8whr-v3gm-w8h9
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-8whr-v3gm-w8h9/GHSA-8whr-v3gm-w8h9.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-8whr-v3gm-w8h9
Withdrawn
2026-01-23T22:49:42Z
Published
2020-09-03T15:51:04Z
Modified
2026-02-03T03:08:01.789631Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L CVSS Calculator
Summary
Duplicate Advisory: Command Injection in node-rules
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-f78f-353m-cf4j. This link is maintained to preserve external references.

Original Description

Versions of node-rules prior to 5.0.0 are vulnerable to Command Injection. The package fails to sanitize input rules and passes it directly to an eval call when using the fromJSON function. This may allow attackers to execute arbitrary code in the system if the rules are user-controlled.

Recommendation

Upgrade to version 5.0.0 or later.

Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-78"
    ],
    "github_reviewed_at": "2020-08-31T19:01:30Z",
    "severity": "HIGH",
    "github_reviewed": true
}
References

Affected packages

npm / node-rules

Package

Name
node-rules
View open source insights on deps.dev
Purl
pkg:npm/node-rules

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.0.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-8whr-v3gm-w8h9/GHSA-8whr-v3gm-w8h9.json"