Command Injection

2018-05-16T19:23:23
ID NODEJS:659
Type nodejs
Reporter Сковорода Никита Андреевич
Modified 2018-05-16T19:23:23

Description

Overview

Versions of command-exists before 1.2.4 are vulnerable to command injection. This is exploitable if user input is provided to this module.

Recommendation

Update to version 1.2.4 or later.

References

  • HackerOne Report
  • https://github.com/mathisonian/command-exists/blob/v1.2.2/lib/command-exists.js#L49-L94