CVE-2018-3786: Command Injection in egg-scripts
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.92867%
CWE
Published
9/17/2018
Updated
9/18/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
egg-scripts | npm | < 2.8.1 | 2.8.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability was patched by replacing exec()
with execFile()
in PR #26. The original code used exec('tail -n 100 ' + stderr)
where stderr came from user-controlled --stderr parameter. exec()
spawns a shell and interprets special characters, while execFile()
avoids shell interpretation. The vulnerable pattern matches CWE-78 (OS Command Injection) as untrusted data flows directly into a shell command.