CVE-2023-40582

CRITICAL9.8EPSS 5.1%

Command Injection Vulnerability in find-exec

Published: 8/30/2023Modified: 11/8/2023

Description

Older versions of the package are vulnerable to Command Injection as an attacker controlled parameter. As a result, attackers may run malicious commands. For example: ``` const find = require("find-exec"); find("mplayer; touch hacked") ``` This creates a file named "hacked" on the filesystem. You should never allow users to control commands to find, since this package attempts to run every command provided. Thanks to @miguelafmonteiro for reporting.

Affected packages (1)

npm/find-execfrom 0, < 1.0.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-40582
PATCHhttps://github.com/shime/find-exec
WEBhttps://github.com/shime/find-exec/commit/74fb108097c229b03d6dba4cce81e36aa364b51c
WEBhttps://github.com/shime/find-exec/security/advisories/GHSA-95rp-6gqp-6622