Affected versions of the
console-io package do not configure the underlying websocket library to require authentication, resulting in an authentication bypass vulnerability. As
console-io allows terminal access on the server via a web page, an authentication bypass is essentially remote code execution.
Update to version 2.3.0 or later.
publishedAdvisory publishedApr 18th, 2016
reportedInitial report by Craig ArendtMar 28th, 2016