Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-25923: Snyk Vulnerability Database | Snyk

Versions of the package exec-local-bin before 1.2.0 are vulnerable to Command Injection via the theProcess() functionality due to improper user-input sanitization.

CVE
Open in Source
#vulnerability#js

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

  • Snyk ID SNYK-JS-EXECLOCALBIN-3157956
  • published 20 Dec 2022
  • disclosed 6 Dec 2022
  • credit JHU System Security Lab

How to fix?

Upgrade exec-local-bin to version 1.2.0 or higher.

Overview

Affected versions of this package are vulnerable to Command Injection via the theProcess() functionality due to improper user-input sanitization.

PoC

var root = require("exec-local-bin")
root("& touch JHU",{})

Related news

GHSA-f259-h6m8-hm8m: exec-local-bin vulnerable to Command Injection

Versions of the package exec-local-bin before 1.2.0 are vulnerable to Command Injection via the `theProcess()` functionality due to improper user-input sanitization.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE