Command Injection Affecting jison package, versions *



    Attack Complexity Low

    Threat Intelligence

    Exploit Maturity Proof of concept
    EPSS 1.35% (86th percentile)
Expand this section
9.8 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-JISON-570539
  • published 28 May 2020
  • disclosed 28 May 2020
  • credit 0x48piraj

How to fix?

There is no fixed version for jison.


jison is a package that provides an API for creating parsers in JavaScript.

Affected versions of this package are vulnerable to Command Injection. Arbitrary OS shell command execution is possible through a crafted command-line argument.