<p>There is no fixed version for <code>node-prompt-here</code>.</p>

Command Injection Affecting node-prompt-here package, versions *

Snyk CVSS

Attack Complexity High

Confidentiality High

Threat Intelligence

Exploit Maturity Proof of concept

EPSS 1.45% (87^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JS-NODEPROMPTHERE-560115
published 13 Mar 2020
disclosed 13 Mar 2020
credit JHU System Security Lab

Report a new vulnerability Found a mistake?

Introduced: 13 Mar 2020

CVE-2020-7602 Open this link in a new tab CWE-78 Open this link in a new tab First added by Snyk

How to fix?

There is no fixed version for node-prompt-here.

Overview

node-prompt-here is a package to open a console window at given absolute directory.

Affected versions of this package are vulnerable to Command Injection. The runCommand() is called by getDevices() function in file linux/manager.js, which is required by the index. process.env.NM_CLI in the file "linux/manager.js" . This function is used to construct the argument of function execSync(), which can be controlled by users without any sanitization.

PoC

process.env.NM_CLI = 'echo vulnerable > create.txt & nmcli';
var root = require("network-manager");
root.getDevices();

References

Vulnerable Code