chrome-launcher is a library to launch Google Chrome with ease from node.
Affected versions of this package are vulnerable to Command Injection. By controlling the
$HOME environment variable in Linux operating systems, an attacker can execute arbitrary code.
var malicious_code = '& touch malicious_file &'; process.env.HOME += "/" + malicious_code; var Root = require("chrome-launcher"); Root.launch();
chrome-launcher to version 0.13.2 or higher.