-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| image-tiler | npm | < 2.0.2 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from using execSync with unescaped string concatenation to execute system commands. The patch replaces execSync with execFileSync (which avoids shell interpretation) and switches to parameterized arguments. The functions tileLevel and tileRec both contained command execution patterns where user-controlled variables (like filenames and quality parameters) were directly interpolated into command strings, creating injection vectors. The commit message and CWE-77 classification confirm this was a command injection vulnerability addressed by proper argument sanitization.
JavaScriptJavaScript