get-npm-package-version is vulnerable to command injection. The vulnerability exists because the module.export
function of index.js
does not properly sanitize the packageName
and registry
parameters, allowing an attacker to inject and execute malicious code.
CPE | Name | Operator | Version |
---|---|---|---|
get-npm-package-version | le | 1.0.6 | |
get-npm-package-version | le | 1.0.6 |
github.com/advisories/GHSA-4h66-vghf-xg5x
github.com/hoperyy/get-npm-package-version/blob/338a5882298eb2c2194538db41166cae13c39e03/index.js#L17
github.com/hoperyy/get-npm-package-version/blob/338a5882298eb2c2194538db41166cae13c39e03/index.js%23L17
github.com/hoperyy/get-npm-package-version/commit/40b1cf31a0607ea66f9e30a0c3af1383b52b2dec
github.com/hoperyy/get-npm-package-version/pull/1
www.npmjs.com/package/get-npm-package-version/v/1.0.6