Narcoleptic's Patch Mangler
open

Command Injection

Severity: critical

Overview

All versions of open are vulnerable to command injection when unsanitized user input is passed in.

The package does come with the following warning in the readme:

The same care should be taken when calling open as if you were calling child_process.exec directly. If it is an executable it will run in a new shell.

Remediation

No fix is currently available for this vulnerability. It is our recommendation to not install or use this module until a fix is available.

Vulnerable versions

0.0.0
6 years ago
0.0.2
6 years ago
0.0.3
6 years ago
0.0.4
5 years ago
0.0.5
4 years ago

Unaffected versions

Resources

Advisory timeline

  1. published

    Advisory published
    May 16th, 2018
  2. reported

    May 16th, 2018