codecov is vulnerable to remote code execution (RCE). Due to an incomplete fix of CVE-2020-7596, the gcov-root
and ather
parameters are not sanitized properly and being executed in the exe
function of lib/codecov.js
, allowing an attacker to trigger RCE.