In codecov (npm package) before version 3.7.1 the upload method has a command injection vulnerability. Clients of the codecov-node library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability. A similar CVE (CVE-2020-7597 for GHSA-5q88-cjfq-g2mh) was....
9.3CVSS
9.4AI Score
0.016EPSS
codecov-node npm module before 3.6.5 allows remote attackers to execute arbitrary commands.The value provided as part of the gcov-root argument is executed by the exec function within lib/codecov.js. This vulnerability exists due to an incomplete fix of...
8.8CVSS
9.1AI Score
0.008EPSS
Codecov npm module before 3.6.2 allows remote attackers to execute arbitrary commands via the "gcov-args"...
8.8CVSS
8.9AI Score
0.006EPSS