<p>Upgrade <code>bunyan</code> to version 1.8.13, 2.0.3 or higher.</p>

Remote Code Execution (RCE) Affecting bunyan package, versions <1.8.13 >=2.0.0 <2.0.3

Snyk CVSS

Attack Complexity Low

Confidentiality High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JS-BUNYAN-573166
published 24 Jun 2020
disclosed 24 Jun 2020
credit Unknown

Report a new vulnerability Found a mistake?

Introduced: 24 Jun 2020

CWE-94 Open this link in a new tab

How to fix?

Upgrade bunyan to version 1.8.13, 2.0.3 or higher.

Overview

bunyan is an a JSON logging library for node.js services

Affected versions of this package are vulnerable to Remote Code Execution (RCE) via insecure command formatting which allowed creating a "hacked" file in the current dir.

References

GitHub Commit
GitHub Commit
HackerOne Report