Command Injection Affecting cocoapods-downloader Open this link in a new tab package, versions <1.6.2
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
1 Apr 2022
2 Mar 2022
Alessio Della Libera of Snyk Research Team
How to fix?
cocoapods-downloader to version 1.6.2 or higher.
cocoapods-downloader is an A small library for downloading files from remotes in a folder.
Affected versions of this package are vulnerable to Command Injection via hg argument injection. When calling the
download function (when using
branch) is passed to the
hg clone command in a way that additional flags can be set. The additional flags can be used to perform a command injection.