Johns Hopkins

**Name of the Vulnerable Software and Affected Versions** keep-module-latest versions all **Description** The issue arises due to missing input sanitization or other checks and sandboxes being employed to the `installModule` function, leading to Command Injection. To potentially exploit this, an attacker needs the ability to run Node.js code within the target environment, typically requiring some level of access to the system or application hosting the Node.js environment. **Recommendations** For all versions, consider disabling the `installModule` function until a patch is available to prevent potential Command Injection attacks. Restrict access to the Node.js environment to minimize the risk of exploitation. Avoid using the `installModule` function in sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** global-modules-path versions prior to 3.0.0 **Description** The issue is related to Command Injection due to missing input sanitization or other checks and sandboxes being employed to the `getPath` function. This allows for potential exploitation. No information is provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** For versions prior to 3.0.0, update to version 3.0.0 or later to resolve the issue. As a temporary workaround, consider disabling the `getPath` function until a patch is available. Restrict access to the `getPath` function to minimize the risk of exploitation.