CVE-2019-15597

Name of the Vulnerable Software and Affected Versions node-df versions 0.1.4 and earlier

Description A code injection issue exists that can allow an attacker to achieve remote code execution through unsanitized input. The package fails to sanitize filenames passed to the file option, which may allow attackers to run arbitrary commands in the server if the value is user-controlled.

Recommendations For node-df version 0.1.4, consider using an alternative package until a fix is made available. For all versions of node-df, consider restricting the use of the file option to prevent user-controlled input from being passed to it until a fix is available.