@graphql-tools/git-loader@6.0.18

Vulnerabilities

1 via 1 paths

Dependencies

40

Source

npm

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
Status
  • 1
  • 0
  • 0

medium severity

Command Injection

  • Vulnerable module: @graphql-tools/git-loader
  • Introduced through: @graphql-tools/git-loader@6.0.18

Detailed paths

  • Introduced through: @graphql-tools/git-loader@6.0.18
    Remediation: Upgrade to @graphql-tools/git-loader@6.2.6.

Overview

Affected versions of this package are vulnerable to Command Injection. The use of exec and execSync in packages/loaders/git/src/load-git.ts allows arbitrary command injection. As this is a dev tool input is generally controlled by the user that executes the command.

Remediation

Upgrade @graphql-tools/git-loader to version 6.2.6 or higher.

References