CVE-2022-0841

Name of the Vulnerable Software and Affected Versions npm-lockfile versions prior to 2.0.5

Description The issue concerns an OS Command Injection vulnerability. It is caused by the lack of sanitization of external input, leading to the invocation of sensitive command execution APIs with unsafe input. This results in command injection. A fix was released in version 2.0.5.

Recommendations For versions prior to 2.0.5, update to version 2.0.5 or later to resolve the issue. As a temporary workaround, consider restricting the use of the npm-lockfile command until a patch is applied. Avoid using unsanitized external input in the npm-lockfile command until the issue is resolved.