Command Injection Affecting node-notifier Open this link in a new tab package, versions <5.4.5 >=8.0.0 <8.0.2 >=9.0.0 <9.0.1


0.0
medium
  • Attack Complexity

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-JS-NODENOTIFIER-1035794

  • published

    13 Dec 2020

  • disclosed

    4 Nov 2020

  • credit

    Alessio Della Libera (d3lla)

How to fix?

Upgrade node-notifier to version 5.4.5, 8.0.2, 9.0.1 or higher.

Overview

node-notifier is an A Node.js module for sending notifications on native Mac, Windows (post and pre 8) and Linux (or Growl as fallback)

Affected versions of this package are vulnerable to Command Injection. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.