CVE-2021-23380: Command Injection

April 18, 2021 (updated June 28, 2022)

If attacker-controlled user input is given to the stat function of this package on certain operating systems, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.

References

nvd.nist.gov/vuln/detail/CVE-2021-23380

Code Behaviors & Features

Detect and mitigate CVE-2021-23380 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →