CVE-2020-7614

Name of the Vulnerable Software and Affected Versions npm-programmatic versions 0.0.0 through 0.0.12 All versions of npm-programmatic are affected, but since a range is specified, we prioritize the range provided by Mitre.

Description The issue is related to Command Injection in the npm-programmatic package. The packages and option properties are concatenated without validation and used directly by the 'exec' function, allowing an attacker to execute arbitrary code by sending a specially crafted malicious package. This may enable attackers to run arbitrary code in the system if the package name passed to the function is user-controlled.

Recommendations For npm-programmatic versions 0.0.0 through 0.0.12, consider using an alternative package until a fix is made available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.