GHSA-pxcc-hj8w-fmm7
Suggest an improvement- Source
- https://github.com/advisories/GHSA-pxcc-hj8w-fmm7
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-pxcc-hj8w-fmm7/GHSA-pxcc-hj8w-fmm7.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-pxcc-hj8w-fmm7
- Aliases
- Related
- Published
- 2021-04-06T17:25:12Z
- Modified
- 2026-02-04T02:33:30.417789Z
- Severity
-
- 7.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N CVSS Calculator
- Summary
- Command injection vulnerability in @prisma/sdk in getPackedPackage function
- Details
-
Impact
As of today, we are not aware of any Prisma users or external consumers of the
@prisma/sdkpackage who are affected by this security vulnerability.This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input.
It only affects the
getPackedPackagefunction and this function is not advertised and only used for tests & building our CLI, no malicious code was found after checking our codebase.Patches
Fixed in - @prisma/sdk@2.20.0 (latest channel) - @prisma/sdk@2.20.0-dev.29 (dev channel)
Pull Request closing this vulnerability https://github.com/prisma/prisma/pull/6245
Acknowledgements
This issue was discovered and reported by GitHub Engineer @erik-krogh (Erik Krogh Kristensen).
For more information
If you have any questions or comments about this advisory:
- Create a discussion in the Prisma repository
- Email us at security@prisma.io
- Database specific
{ "nvd_published_at": "2021-04-29T01:15:00Z", "cwe_ids": [ "CWE-78" ], "github_reviewed_at": "2021-03-31T18:00:32Z", "severity": "HIGH", "github_reviewed": true }- References
Affected packages
npm / @prisma/sdk
Package
- Name
- @prisma/sdk
- View open source insights on deps.dev
- Purl
- pkg:npm/%40prisma/sdk