CVE-2017-16042

EPSS 4.4%CWE-94

Growl adds growl notification support to nodejs. Growl before 1.10.2 does not properly sanitize input before passing it to exec, allowing for arbitrary command execution.

Affected products

HackerOne · growl node module

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/tj/node-growl/issues/60 https://github.com/tj/node-growl/pull/61 https://nodesecurity.io/advisories/146