PT-2020-21383 — Remote Code Execution in Npm Load-From-Cwd-Or-Npm

PT-2020-21383 · Npm · Load-From-Cwd-Or-Npm

Published

2020-09-03

Updated

2020-09-03

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions load-from-cwd-or-npm version 3.0.2

Description The issue concerns malicious code in version 3.0.2 of the load-from-cwd-or-npm package, which affects the functionality of the purescript-installer package by injecting targeted code.

Recommendations Upgrade to version 3.0.4 or later.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-506

Related Identifiers

GHSA-JXF5-7X3J-8J9M

Affected Products

Load-From-Cwd-Or-Npm

PT-2020-21383 · Npm · Load-From-Cwd-Or-Npm

Weakness Enumeration

Related Identifiers

Affected Products

References · 2