Remote Code Execution

Affecting xterm package, versions >=3.8.0 <3.8.1 || >=3.9.0 <3.9.2 || >=3.10.0 <3.10.1

high severity

Overview

xterm is a front-end component written in TypeScript that lets applications bring fully-featured terminals to their users in the browser. It's used by popular projects such as VS Code, Hyper and Theia.

Affected versions of this package are vulnerable to Remote Code Execution due to mishandling of the component special characters.

Remediation

Upgrade xterm to version 3.8.1, 3.9.2, 3.10.1 or higher.

References

Do your applications use this vulnerable package?

Credit
Felix Wilhelm
CVE
CVE-2019-0542
CWE
CWE-94
Snyk ID
SNYK-JS-XTERM-73496
Disclosed
09 Jan, 2019
Published
10 Jan, 2019