<p>Upgrade <code>open</code> to version 6.0.0 or higher.</p>

Arbitrary Command Injection Affecting open package, versions <6.0.0

Snyk CVSS

Attack Complexity Low

Confidentiality High

Integrity High

Availability High

Threat Intelligence

Exploit Maturity Proof of concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID npm:open:20180512
published 13 May 2018
disclosed 12 May 2018
credit ChALkeR

Report a new vulnerability Found a mistake?

Introduced: 12 May 2018

CWE-264 Open this link in a new tab

How to fix?

Upgrade open to version 6.0.0 or higher.

Overview

open is a cross platform package that opens stuff like URLs, files, executables.

Affected versions of this package are vulnerable to Arbitrary Command Injection. Urls are not properly escaped before concatenating them into the command that is opened using exec().

Note: Upgrading open to the last version will prevent this vulnerability but is also likely to have unwanted effects since it now has a very different API.

References

HackerOne Report