GHSA-8whr-v3gm-w8h9: Duplicate Advisory: Command Injection in node-rules

September 3, 2020 (updated January 23, 2026)

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-f78f-353m-cf4j. This link is maintained to preserve external references.

Original Description

Versions of node-rules prior to 5.0.0 are vulnerable to Command Injection. The package fails to sanitize input rules and passes it directly to an eval call when using the fromJSON function. This may allow attackers to execute arbitrary code in the system if the rules are user-controlled.

Recommendation

Upgrade to version 5.0.0 or later.

References

github.com/advisories/GHSA-8whr-v3gm-w8h9
github.com/mithunsatheesh/node-rules
github.com/mithunsatheesh/node-rules/commit/100862223904bb6478fcc33b701c7dee11f7b832
github.com/mithunsatheesh/node-rules/issues/84
snyk.io/vuln/SNYK-JS-NODERULES-560426

Code Behaviors & Features

Detect and mitigate GHSA-8whr-v3gm-w8h9 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →