excel-as-json@0.0.1

Vulnerabilities

2 via 2 paths

Dependencies

94

Source

npm

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
  • 1
Status
  • 2
  • 0
  • 0

high severity

Arbitrary File Overwrite

  • Vulnerable module: fstream
  • Introduced through: excel@0.1.7

Detailed paths

  • Introduced through: excel-as-json@0.0.1 excel@0.1.7 unzip2@0.2.5 fstream@0.1.31

Overview

fstream is a package that supports advanced FS Streaming for Node.

Affected versions of this package are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file.

Remediation

Upgrade fstream to version 1.0.12 or higher.

References

low severity

Arbitrary Code Injection

  • Vulnerable module: underscore
  • Introduced through: excel@0.1.7

Detailed paths

  • Introduced through: excel-as-json@0.0.1 excel@0.1.7 underscore@1.3.3
    Remediation: Upgrade to excel@1.0.0.

Overview

underscore is a JavaScript's functional programming helper library.

Affected versions of this package are vulnerable to Arbitrary Code Injection via the template function, particularly when the variable option is taken from _.templateSettings as it is not sanitized.

PoC

const _ = require('underscore');
_.templateSettings.variable = "a = this.process.mainModule.require('child_process').execSync('touch HELLO')";
const t = _.template("")();

Remediation

Upgrade underscore to version 1.13.0-2, 1.12.1 or higher.

References