Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
- Snyk ID SNYK-JS-NODENOTIFIER-1035794
- published 13 Dec 2020
- disclosed 4 Nov 2020
- credit Alessio Della Libera (d3lla)
How to fix?
node-notifier to version 5.4.5, 8.0.2, 9.0.1 or higher.
node-notifier is an A Node.js module for sending notifications on native Mac, Windows (post and pre 8) and Linux (or Growl as fallback)
Affected versions of this package are vulnerable to Command Injection. It allows an attacker to run arbitrary commands on Linux machines due to the
options params not being sanitised when being passed an array.