Skip to content

OS Command Injection in node-notifier

moderate severity Published Dec 21, 2020 • Updated Jan 7, 2021

Package

npm node-notifier (npm)

Affected versions

< 8.0.1

Patched versions

8.0.1

Description

This affects the package node-notifier before 8.0.1. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.

References

CVE ID

CVE-2020-7789

CVSS Score

5.6 Moderate
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L