vulnerability code injection
severity 3.8
language javascript
registry npm


Affected versions execute arbitrary commands remotely inside the victim's PC. The issue occurs because user input is formatted inside a command that will be executed without any checks. The spawn function receives the _executableShell variable, which is the /bin/sh command. This could result in any command, even if the function is written correctly, leading to RCE.