9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-7624

GHSA ID

GHSA-6hr9-4692-fch9

EPSS Score

0.78238%

CWE

CWE-78

Published

2/10/2022

Updated

6/4/2024

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-7624

CVE-2020-7624: Withdrawn Advisory: OS Command Injection in effect

Withdrawn Advisory

This advisory has been withdrawn because the npm package effect, for which alerts were issued, does not correspond with https://github.com/Javascipt/effect, the repository with the vulnerable code. https://github.com/Javascipt/effect is not in any supported ecosystem.

Additionally, the CVE Numbering Authority that issued the CVE for CVE-2020-7624 has updated their advisory stating that "This was deemed not a vulnerability."

Original Description

effect through 1.0.4 is vulnerable to Command Injection. It allows execution of arbitrary command via the options argument.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-7624

GHSA ID

GHSA-6hr9-4692-fch9

EPSS Score

0.78238%

CWE

CWE-78

Published

2/10/2022

Updated

6/4/2024

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
effect	npm	<= 1.0.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The code in helper.js shows clear command injection patterns:

generateCmd() directly interpolates user-controlled options.image and options.to into a shell command string
executeCommand() uses exec() with this untrusted string
The PoC demonstrates injection via options.image containing shell operators
CWE-78 pattern matches unsafe command construction with user input While the advisory was withdrawn due to package/repo mismatch, the code analysis itself reveals classic command injection vulnerabilities through these functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## Wit**r*wn **visory T*is **visory **s ***n wit**r*wn ****us* t** [npm p**k*** *****t](*ttps://www.npmjs.*om/p**k***/*****t), *or w*i** *l*rts w*r* issu**, *o*s not *orr*spon* wit* *ttps://*it*u*.*om/J*v*s*ipt/*****t, t** r*pository wit* t** vuln*r*

Reasoning

T** *o** in **lp*r.js s*ows *l**r *omm*n* inj**tion p*tt*rns: *. **n*r*t**m*() *ir**tly int*rpol*t*s us*r-*ontroll** options.im*** *n* options.to into * s**ll *omm*n* strin* *. *x**ut**omm*n*() us*s *x**() wit* t*is untrust** strin* *. T** Po* **mon

9.8

Basic Information

Concerned about an active attack path?

CVE-2020-7624: Withdrawn Advisory: OS Command Injection in effect

Withdrawn Advisory

Original Description

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI