Command Injection Affecting node-notifier package, versions <5.4.5 >=8.0.0 <8.0.2 >=9.0.0 <9.0.1


0.0
medium

Snyk CVSS

    Attack Complexity High

    Threat Intelligence

    EPSS 0.2% (57th percentile)
Expand this section
NVD
5.6 medium
Expand this section
Red Hat
5.6 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-NODENOTIFIER-1035794
  • published 13 Dec 2020
  • disclosed 4 Nov 2020
  • credit Alessio Della Libera (d3lla)

How to fix?

Upgrade node-notifier to version 5.4.5, 8.0.2, 9.0.1 or higher.

Overview

node-notifier is an A Node.js module for sending notifications on native Mac, Windows (post and pre 8) and Linux (or Growl as fallback)

Affected versions of this package are vulnerable to Command Injection. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.