web-ext@6.5.0

Vulnerabilities

2 via 2 paths

Dependencies

455

Source

npm

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
  • 1
Status
  • 2
  • 0
  • 0

high severity

Remote Code Execution (RCE)

  • Vulnerable module: shell-quote
  • Introduced through: fx-runner@1.1.0

Detailed paths

  • Introduced through: web-ext@6.5.0 fx-runner@1.1.0 shell-quote@1.6.1
    Remediation: Upgrade to web-ext@6.6.0.

Overview

shell-quote is a package used to quote and parse shell commands.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.

Remediation

Upgrade shell-quote to version 1.7.3 or higher.

References

medium severity

Command Injection

  • Vulnerable module: node-notifier
  • Introduced through: node-notifier@9.0.0

Detailed paths

  • Introduced through: web-ext@6.5.0 node-notifier@9.0.0
    Remediation: Upgrade to node-notifier@9.0.1.

Overview

node-notifier is an A Node.js module for sending notifications on native Mac, Windows (post and pre 8) and Linux (or Growl as fallback)

Affected versions of this package are vulnerable to Command Injection. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.

Remediation

Upgrade node-notifier to version 5.4.5, 8.0.2, 9.0.1 or higher.

References