<p>There is no fix version for <code>buttle</code>.</p>

Arbitrary Command Injection Affecting buttle package, versions *

Snyk CVSS

Attack Complexity Low

Scope Changed

Confidentiality High

Availability High

Threat Intelligence

Exploit Maturity Mature

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID npm:buttle:20180512
published 13 May 2018
disclosed 12 May 2018
credit bl4de

Report a new vulnerability Found a mistake?

Introduced: 12 May 2018

CWE-264 Open this link in a new tab

How to fix?

There is no fix version for buttle.

Overview

buttle is a Simple static file (+ markdown) server.

Affected versions of this package are vulnerable to Arbitrary Command Injection. When buttle is run with --php-bin option (to handle PHP), the PHP filename is not sanitized and allows to inject shell commands.

References

HAckerOne Report