Homepage
About Snyk

Arbitrary Command Injection Affecting open package, versions <6.0.0

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    Exploit Maturity
    Proof of concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID npm:open:20180512
  • published 13 May 2018
  • disclosed 12 May 2018
  • credit ChALkeR
Report a new vulnerability Found a mistake?

Introduced: 12 May 2018

CVE NOT AVAILABLE CWE-264 Open this link in a new tab

How to fix?

Upgrade open to version 6.0.0 or higher.

Overview

open is a cross platform package that opens stuff like URLs, files, executables.

Affected versions of this package are vulnerable to Arbitrary Command Injection. Urls are not properly escaped before concatenating them into the command that is opened using exec().

Note: Upgrading open to the last version will prevent this vulnerability but is also likely to have unwanted effects since it now has a very different API.

References

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
8.4 high
  • Attack Vector (AV)
    Local
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    High