GHSA-95rp-6gqp-6622: Command Injection Vulnerability in find-exec

Skip to content

• • Actions

    Automate any workflow

  • Packages

    Host and manage packages

  • Security

    Find and fix vulnerabilities

  • Codespaces

    Instant dev environments

  • Copilot

    Write better code with AI

  • Code review

    Manage code changes

  • Issues

    Plan and track work

  • Discussions

    Collaborate outside of code

• • GitHub Sponsors

    Fund open source developers

*   The ReadME Project
    
    GitHub community articles

• Pricing

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2023-40582

Command Injection Vulnerability in find-exec

Critical severity GitHub Reviewed Published Aug 30, 2023 in shime/find-exec • Updated Aug 30, 2023

Package

npm find-exec (npm)

Affected versions

< 1.0.3

Description

Older versions of the package are vulnerable to Command Injection as an attacker controlled parameter. As a result, attackers may run malicious commands.

For example:

const find = require("find-exec");
find("mplayer; touch hacked")

This creates a file named “hacked” on the filesystem.

You should never allow users to control commands to find, since this package attempts to run every command provided.

Thanks to @miguelafmonteiro for reporting.

References

• GHSA-95rp-6gqp-6622
• https://nvd.nist.gov/vuln/detail/CVE-2023-40582
• shime/find-exec@74fb108

Published to the GitHub Advisory Database

Aug 30, 2023

Last updated

Aug 30, 2023