제출 #850875: Node.js check-peer-dependencies 4.3.4 OS Command Injection정보

제목Node.js check-peer-dependencies 4.3.4 OS Command Injection
설명[email protected] is vulnerable to OS command injection when processing package names from peerDependencies. The package reads dependency names from package.json and later interpolates those names into shell command strings. When --findSolutions is enabled, a malicious dependency name is passed into an npm view <package> versions command. Because the command is executed through shelljs.exec(), shell metacharacters in the dependency name are interpreted by the operating system shell. The same data flow can also affect installation flows: generated npm install / yarn add command strings are later executed through shelljs.exec() when --install is used. The PoC was verified against the current npm latest version 4.3.4.
원천⚠️ https://github.com/christopherthielen/check-peer-dependencies/issues/74
사용자
 Dremig (UID 95003)
제출2026. 06. 07. AM 08:41 (1 월 ago)
모더레이션2026. 07. 08. AM 09:36 (1 month later)
상태수락
VulDB 항목376784 [christopherthielen check-peer-dependencies 까지 4.3.4 peerDependencies dist/packageUtils.js shelljs.exec 권한 상승]
포인트들20

Interested in the pricing of exploits?

See the underground prices here!