Command Injection Affecting global-modules-path package, versions <3.0.0
Snyk CVSS
Attack Complexity
High
Confidentiality
High
Integrity
High
Availability
High
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.41% (74th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-GLOBALMODULESPATH-3167973
- published 12 Jan 2023
- disclosed 13 Dec 2022
- credit Johns Hopkins
Introduced: 13 Dec 2022
CVE-2022-21191 Open this link in a new tabHow to fix?
Upgrade global-modules-path
to version 3.0.0 or higher.
Overview
Affected versions of this package are vulnerable to Command Injection due to missing input sanitization or other checks and sandboxes being employed to the getPath
function.
PoC
var root = require("global-modules-path")
root.getPath("& touch JHU","& touch exploit")