git-package-json@1.2.0

Vulnerabilities

1 via 1 paths

Dependencies

31

Source

npm

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
Status
  • 1
  • 0
  • 0

high severity

Command Injection

  • Vulnerable module: gry
  • Introduced through: gry@5.0.8

Detailed paths

  • Introduced through: git-package-json@1.2.0 gry@5.0.8
    Remediation: Upgrade to gry@6.0.0.

Overview

gry is a minimalist NodeJS wrapper for the git commands. gry stands for the Git Repository.

Affected versions of this package are vulnerable to Command Injection in lib/index.js and example.js

PoC

// poc.js
const Repo = require("gry");
var myRepo = new Repo(".");
myRepo.pull('test; touch HACKED; #', function(){console.log('Finished!')})

Remediation

Upgrade gry to version 6.0.0 or higher.

References