Gửi #850875: Node.js check-peer-dependencies 4.3.4 OS Command Injectionthông tin

tiêu đềNode.js check-peer-dependencies 4.3.4 OS Command Injection
Mô tả[email protected] is vulnerable to OS command injection when processing package names from peerDependencies. The package reads dependency names from package.json and later interpolates those names into shell command strings. When --findSolutions is enabled, a malicious dependency name is passed into an npm view <package> versions command. Because the command is executed through shelljs.exec(), shell metacharacters in the dependency name are interpreted by the operating system shell. The same data flow can also affect installation flows: generated npm install / yarn add command strings are later executed through shelljs.exec() when --install is used. The PoC was verified against the current npm latest version 4.3.4.
Nguồn⚠️ https://github.com/christopherthielen/check-peer-dependencies/issues/74
Người dùng
 Dremig (UID 95003)
Đệ trình07/06/2026 08:41 (cách đây 1 tháng)
Kiểm duyệt08/07/2026 09:36 (1 month later)
Trạng tháiđược chấp nhận
Mục VulDB376784 [christopherthielen check-peer-dependencies đến 4.3.4 peerDependencies dist/packageUtils.js shelljs.exec nâng cao đặc quyền]
điểm20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!