Arbitrary Command Injection Affecting open Open this link in a new tab package, versions <6.0.0

Exploit Maturity

Proof of concept
Attack Complexity

Low
Confidentiality

High
Integrity

High
Availability

High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

snyk-id

npm:open:20180512
published

13 May 2018
disclosed

12 May 2018
credit

ChALkeR

Report a new vulnerability Found a mistake?

Introduced: 12 May 2018

CWE-264 Open this link in a new tab

How to fix?

Upgrade open to version 6.0.0 or higher.

Overview

open is a cross platform package that opens stuff like URLs, files, executables.

Affected versions of this package are vulnerable to Arbitrary Command Injection. Urls are not properly escaped before concatenating them into the command that is opened using exec().

Note: Upgrading open to the last version will prevent this vulnerability but is also likely to have unwanted effects since it now has a very different API.

References

HackerOne Report

Arbitrary Command Injection Affecting open Open this link in a new tab package, versions <6.0.0

Exploit Maturity

Attack Complexity

Confidentiality

Integrity

Availability

snyk-id

published

disclosed

credit

Introduced: 12 May 2018

How to fix?

Overview

References