CVE-2020-7609: Code Injection in node-rules

December 10, 2021 (updated January 23, 2026)

node-rules including 3.0.0 and prior to 5.0.0 allows injection of arbitrary commands. The argument rules of function “fromJSON()” can be controlled by users without any sanitization.

References

github.com/advisories/GHSA-f78f-353m-cf4j
github.com/mithunsatheesh/node-rules/commit/100862223904bb6478fcc33b701c7dee11f7b832
github.com/mithunsatheesh/node-rules/issues/84
nvd.nist.gov/vuln/detail/CVE-2020-7609
snyk.io/vuln/SNYK-JS-NODERULES-560426

Code Behaviors & Features

Detect and mitigate CVE-2020-7609 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →