Command Injection in npm-git-publish
Critical severity
GitHub Reviewed
Published
Sep 4, 2020
to the GitHub Advisory Database
•
Updated Jan 9, 2023
Description
Reviewed
Aug 31, 2020
Published to the GitHub Advisory Database
Sep 4, 2020
Last updated
Jan 9, 2023
All versions of
npm-git-publish
are vulnerable to Command Injection. The package fails to sanitize input and passes it directly to anexecSync
call, which may allow attackers to execute arbitrary code in the system. Thepublish
function is vulnerable through thegitRemoteUrl
variable.Recommendation
No fix is currently available. Consider using an alternative package until a fix is made available.
References