Описание
OS Command injection in npm-lockfile
npm-lockfile safely generates an npm lockfile and output it to the filename of your choice. npm-lockfile before 2.0.4 does not santize unsafe external input and invoke sensitive command execution API with the input, causing command injection vulnerability. A fix was released in version 2.0.5.
Пакеты
Наименование
npm-lockfile
npm
Затронутые версииВерсия исправления
>= 2.0.3, < 2.0.5
2.0.5
Связанные уязвимости
CVSS3: 5.3
redhat
почти 4 года назад
OS Command Injection in GitHub repository ljharb/npm-lockfile in v2.0.3 and v2.0.4.
CVSS3: 9.8
nvd
почти 4 года назад
OS Command Injection in GitHub repository ljharb/npm-lockfile in v2.0.3 and v2.0.4.