network-manager is vulnerable to OS command injection. The vulnerability exists as the unsanitized value of index.process.env.NM_CLI
in linux/manager.js
, used by getDevices()
in linux/manager.js
, reaches child_process.execSync()
through runCommand()
.