CVE-2013-7381: Potential Command Injection in libnotify
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.82902%
CWE
Published
8/31/2020
Updated
9/8/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
libnotify | npm | <= 1.0.3 | 1.0.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the use of child_process.exec
with unsanitized user input in the notify()
function. The pre-patch code (<=1.0.3) builds a command string by joining arguments including user-controlled input (msg
and options.title
) with spaces, then executes via exec()
. This allows shell metacharacters in user input to break out of the intended command. The fix in 1.0.4 replaces exec()
with execFile()
, which avoids shell interpretation by passing arguments as an array. The commit diff clearly shows the vulnerable pattern: constructing args
array with quoted user input, then executing via exec(args.join(' '))
.