Arbitrary Command Injection

npm-git-publish is vulnerable to arbitrary command injection. The vulnerability exists as gitRemoteUrl and gitRepoDir in lib/publish.ts are not sanitized, and are passed to execSync as a value to be executed...

Remote Code Execution Vulnerability in NPM mongo-express

Impact Remote code execution on the host machine by any authenticated user. Proof Of Concept Launching mongo-express on a Mac, pasting the following into the "create index" field will pop open the Mac calculator: javascript this.constructor.constructor"return...

GHSA-38H8-X697-GH8Q Tmp files readable by other users in sync-exec

Affected versions of sync-exec use files located in /tmp/ to buffer command results before returning values. As /tmp/ is almost always set with world readable permissions, this may allow low privilege users on the system to read the results of commands run via sync-exec under a higher privilege...

Node.js third-party modules: `fs-path` concatenates unsanitized input into exec()/execSync() commands

I would like to report command injection in fs-path. It allows to inject and execute arbitrary shell commands while performing various operations from fs-path API like copying files. Module module name: fs-path version: 0.0.24 npm page: https://www.npmjs.com/package/fs-path Module Description...