CVE-2020-7602

Name of the Vulnerable Software and Affected Versions node-prompt-here versions 1.0.0 through 1.0.1

Description The issue allows execution of arbitrary commands. The runCommand() function is called by the getDevices() function in the file linux/manager.js, which is required by the index.js process using process.env.NM CLI. This function constructs the argument for the execSync() function, which can be controlled by users without any sanitization.

Recommendations For node-prompt-here versions 1.0.0 through 1.0.1, consider disabling the runCommand() function until a patch is available to prevent the execution of arbitrary commands. Restrict access to the execSync() function to minimize the risk of exploitation. Avoid using the process.env.NM CLI variable in the affected index.js file until the issue is resolved.