Homepage

org.webjars.npm:glob@4.2.1 vulnerabilities

  • latest version

    11.0.3

  • first published

    10 years ago

  • latest version published

    1 months ago

  • licenses detected

  • package registry

    View on Maven Central Repository
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the org.webjars.npm:glob package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Command Injection

    Affected versions of this package are vulnerable to Command Injection in the CLI, via the -c/--cmd option. The processing of commandline options in src/bin.mts calls the foregroundChild() on them, which defaults to setting shell: true. An attacker who can control the filenames being matched can execute arbitrary commands with the privileges of the user running the process by writing files with malicious names containing shell metacharacters - e.g. $(touch injected_poc).

    The malicious filename must be the target of a match by the glob -c command. Such filenames would not trigger this exploit when invoking glob() or related functions via the library API.

    How to fix Command Injection?

    A fix was pushed into the master branch but not yet published.

    [0,)
    Go back to all versions of this package