GHSA-49vv-6q7q-w5cf: Duplicate Advisory: OS Command Injection in Strapi

December 10, 2021 (updated December 29, 2025)

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-9p2w-rmx4-9mw7. This link is maintained to preserve external references.

Original Description

The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.

References

bittherapy.net/post/strapi-framework-remote-code-execution
github.com/advisories/GHSA-49vv-6q7q-w5cf
github.com/strapi/strapi
github.com/strapi/strapi/pull/4636
nvd.nist.gov/vuln/detail/CVE-2019-19609

Code Behaviors & Features

Detect and mitigate GHSA-49vv-6q7q-w5cf with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →