Command Injection Affecting org.webjars.npm:node-notifier package, versions [,5.4.5)

  • Attack Complexity


Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id


  • published

    13 Dec 2020

  • disclosed

    4 Nov 2020

  • credit

    Alessio Della Libera (d3lla)

How to fix?

Upgrade org.webjars.npm:node-notifier to version 5.4.5 or higher.


org.webjars.npm:node-notifier is an A Node.js module for sending notifications on native Mac, Windows (post and pre 8) and Linux (or Growl as fallback)

Affected versions of this package are vulnerable to Command Injection. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.