Command Injection Vulnerability in npm-programmatic by npm
CVE-2020-7614

9.8CRITICAL

Key Information:

Vendor: Npm-programmatic Project
Status: Npm-programmatic
Vendor: CVE Published:; 7 April 2020

🔔 Create Npm-programmatic Project Vulnerability Alert

What is CVE-2020-7614?

The npm-programmatic package, up to version 0.0.12, is susceptible to command injection vulnerabilities due to improper handling of user-supplied data. In the application, the concatenation of the packages and options properties occurs without validation, allowing an attacker to exploit the 'exec' function, potentially executing arbitrary commands on the host system. This flaw emphasizes the importance of proper input validation to mitigate risks associated with command injection.

Affected Version(s)

npm-programmatic All versions including 0.0.12

References

https://snyk.io/vuln/SNYK-JS-NPMPROGRAMMATIC-564115

x_refsource_MISC

https://github.com/Manak/npm-programmatic/blob/master/ind...

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2020
Vulnerability Reserved
Jan 21, 2020

CVE-2020-7614 Data

JSON