CVE-2020-7597: codecov NPM module allows remote attackers to execute arbitrary commands
8.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.70798%
CWE
Published
2/19/2020
Updated
1/9/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
codecov | npm | < 3.6.5 | 3.6.5 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from how the 'gcov-root' parameter is handled in command construction. The commit diff shows the vulnerable code used validator.escape()
for sanitization, which doesn't prevent command injection via operators like '&'. The patch introduced a custom sanitizeVar
function to remove ampersands, confirming the attack vector. The exec
function executes the constructed command string containing user-controlled input, making the upload function
the primary vulnerable point.