Severity: critical

Command Injection



All versions of open are vulnerable to command injection when unsanitized user input is passed in.

The package does come with the following warning in the readme:

The same care should be taken when calling open as if you were calling child_process.exec directly. If it is an executable it will run in a new shell.


No fix is currently available for this vulnerability. It is our recommendation to not install or use this module until a fix is available.


Advisory timeline

  1. published

    Advisory published
    May 16th, 2018
  2. reported

    May 16th, 2018