Negotiable Paleobotanist Missions
    Severity: critical

    Command Injection



    Versions of node-rules prior to 5.0.0 are vulnerable to Command Injection. The package fails to sanitize input rules and passes it directly to an eval call when using the fromJSON function. This may allow attackers to execute arbitrary code in the system if the rules are user-controlled.


    Upgrade to version 5.0.0 or later.

    Have content suggestions? Visit

    Advisory timeline

    1. published

      Advisory Published
      May 20th, 2020
    2. reported

      Reported by Snyk Security Team
      Mar 26th, 2020