Description
rpi through 0.0.3 allows execution of arbritary commands. The variable pinNumbver in function GPIO within src/lib/gpio.js is used as part of the arguement of exec function without any sanitization.
Remediation
References
https://github.com/xseignard/rpi/blob/master/src/lib/gpio.js#L47
https://snyk.io/vuln/SNYK-JS-RPI-548942
Related Vulnerabilities
CVE-2017-3208 Vulnerability in maven package com.exadel.flamingo.flex:amf-serializer
CVE-2021-28162 Vulnerability in npm package @wiptheia/core
CVE-2020-36048 Vulnerability in maven package org.webjars.npm:engine.io
CVE-2022-28366 Vulnerability in maven package org.codelibs:nekohtml
CVE-2022-25848 Vulnerability in npm package static-dev-server