Description
install-package through 0.4.0 is vulnerable to Command Injection. It allows execution of arbitrary commands via the options argument.
Remediation
References
https://github.com/1000ch/install-package/blob/master/index.js#L82%2C
https://snyk.io/vuln/SNYK-JS-INSTALLPACKAGE-564267
Related Vulnerabilities
CVE-2018-5673 Vulnerability in maven package org.webjars.bowergithub.dojo:dojo
CVE-2021-23391 Vulnerability in npm package calipso
CVE-2022-24947 Vulnerability in maven package org.apache.jspwiki:jspwiki-main
CVE-2024-36401 Vulnerability in maven package org.geoserver:gs-wms
CVE-2020-28477 Vulnerability in maven package org.webjars.npm:immer