Command Injection The advisory has been revoked - it doesn't affect any version of package npm-node-utils (opens in a new tab)
Threat Intelligence
Exploit Maturity
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Proof of Concept
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-NPMNODEUTILS-3175607
- published19 Dec 2022
- disclosed19 Dec 2022
- creditMingqing Kang
Introduced: 19 Dec 2022
CVE NOT AVAILABLE CWE-78 (opens in a new tab)Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
There is no fixed version for npm-node-utils.
Amendment
This was deemed not a vulnerability.
Overview
Affected versions of this package are vulnerable to Command Injection via the getRemotePackageInfo function due to improper input sanitization.
PoC
var root = require("get-global-packages")
root.getRemotePackageInfo({"name":"& touch JHU &"})