GMS-2020-43: Command Injection in addax

September 3, 2020 (updated September 28, 2021)

Versions of addax are vulnerable to Command Injection. The package does not validate user input on the presignPath function which receives input directly from the API endpoint. Exploiting the vulnerability requires authentication. This may allow attackers to run arbitrary commands in the system. Upgrade to or later.

References

github.com/advisories/GHSA-4q8f-5xxj-946r
www.npmjs.com/advisories/954

Code Behaviors & Features

Detect and mitigate GMS-2020-43 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →