All versions of npm-programmatic
are vulnerable to Command Injection. The package fails to sanitize input rules and passes it directly to an exec
call on the install
, uninstall
and list
functions . This may allow attackers to execute arbitrary code in the system if the package name passed to the function is user-controlled.
No fix is currently available. Consider using an alternative package until a fix is made available.
CPE | Name | Operator | Version |
---|---|---|---|
npm-programmatic | le | 0.0.12 |