Negotiable Paleobotanist Missions
    Severity: critical

    Command Injection

    node-rules

    Overview

    Versions of node-rules prior to 5.0.0 are vulnerable to Command Injection. The package fails to sanitize input rules and passes it directly to an eval call when using the fromJSON function. This may allow attackers to execute arbitrary code in the system if the rules are user-controlled.

    Remediation

    Upgrade to version 5.0.0 or later.

    Have content suggestions? Visit npmjs.com/support.

    Advisory timeline

    1. published

      Advisory Published
      May 20th, 2020
    2. reported

      Reported by Snyk Security Team
      Mar 26th, 2020