-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIA Semantic Attack on Google Gemini - Read the Latest Research
A Semantic Attack on Google Gemini - Read the Latest Research
Miggo AI
Miggo AIRoot Cause AnalysisThe vulnerability is a command injection (CWE-77) in curljs, a Node.js wrapper for curl. The PoC demonstrates command injection via the package's main function (require('curljs')('...')). This indicates the primary exported function (likely named 'curl') constructs system commands by concatenating unsanitized user input into shell-executed strings (e.g., using child_process.exec). The lack of input sanitization for shell metacharacters like '&' allows arbitrary command execution. The entry point (index.js) is the most probable location for this vulnerable function given standard npm package structure and the absence of patch details.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| curljs | npm | <= 0.1.2 |