EPSS
Percentile
83.8%
node-prompt-here is vulnerable to remote code execution (RCE). The runCommand() of the file linux/manager.js accepts user-provided arguments without sanitization, allowing the user to get the control over the index. process.env.NM_CLI.
runCommand()
linux/manager.js
index. process.env.NM_CLI
github.com/s-a/node-prompt-here/blob/master/index.js#L19