Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OS Command Injection in execa (execa@^1.0.0) #159

Closed
furqanbaqai opened this issue Jun 24, 2020 · 4 comments · May be fixed by #162
Closed

OS Command Injection in execa (execa@^1.0.0) #159

furqanbaqai opened this issue Jun 24, 2020 · 4 comments · May be fixed by #162

Comments

@furqanbaqai
Copy link

dependency execa@^1.0.0 has the following vulnerability reported:

Description:
Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them.

Idenfiers
Gemnasium-05cfa2e8-2d0c-42c1-8894-638e2f12ff3d

Severity
Critical

@kelvinlouis
Copy link

Is a patch planned? This vulnerability prohibits us from publishing or package.

@chrised123
Copy link

@amasad can you please approve this merge?

@amasad
Copy link
Owner

amasad commented Mar 28, 2021

Hey guys, I'm not really coding anymore so can't really test and maintain this package. Anyone wants to be a maintainer? cc @stefanpenner if he has any ideas.

@COScholl
Copy link
Collaborator

sane@4.1.0 is now deprecated in favor of sane@5.0.1 using execa@4.0.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants