提交 #850875: Node.js check-peer-dependencies 4.3.4 OS Command Injection信息

标题Node.js check-peer-dependencies 4.3.4 OS Command Injection
描述[email protected] is vulnerable to OS command injection when processing package names from peerDependencies. The package reads dependency names from package.json and later interpolates those names into shell command strings. When --findSolutions is enabled, a malicious dependency name is passed into an npm view <package> versions command. Because the command is executed through shelljs.exec(), shell metacharacters in the dependency name are interpreted by the operating system shell. The same data flow can also affect installation flows: generated npm install / yarn add command strings are later executed through shelljs.exec() when --install is used. The PoC was verified against the current npm latest version 4.3.4.
来源⚠️ https://github.com/christopherthielen/check-peer-dependencies/issues/74
用户
 Dremig (UID 95003)
提交2026-06-07 08時41分 (1 月前)
管理2026-07-08 09時36分 (1 month later)
状态已接受
VulDB条目376784 [christopherthielen check-peer-dependencies 直到 4.3.4 peerDependencies dist/packageUtils.js shelljs.exec 权限提升]
积分20

Do you want to use VulDB in your project?

Use the official API to access entries easily!