PT-2022-9060 · Thenify+3 · Thenify+3

Published

2022-07-18

Updated

2025-06-25

CVE-2020-7677

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions thenify versions prior to 3.3.1

Description The issue arises from the lack of sanitization of the name argument provided to the thenify package, which is then passed to the eval function without any sanitization. This allows untrusted user input to lead to arbitrary code execution on the host. The eval function is used to execute JavaScript code, and passing unsanitized user input to it can lead to code injection attacks.

Recommendations For versions prior to 3.3.1, update to version 3.3.1 or later, which removes the unsafe calls to eval. As a temporary workaround, consider restricting user input to prevent arbitrary code execution until the patch is applied.

Exploit

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2020-7677

DLA-3128-1

GHSA-29XR-V42J-R956

MGASA-2025-0194

USN-6016-1

Affected Products

Astra Linux

Linuxmint

Ubuntu

Thenify

PT-2022-9060 · Thenify+3 · Thenify+3

CVE-2020-7677

Weakness Enumeration

Related Identifiers

Affected Products

References · 28