CVE-2020-7784: Command injection in ts-process-promises
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.65538%
CWE
Published
1/13/2021
Updated
9/8/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
ts-process-promises | npm | = 1.0.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
- Multiple sources (GitHub Advisory, NVD, Snyk) identify line 45 in lib/process-promises.js as the injection point.
- The PoC demonstrates vulnerability through the exec function call (a.exec('touch JHU', {})).
- CWE-77 classification confirms command injection pattern.
- The function name 'exec' aligns with Node.js child_process.exec patterns where command injection vulnerabilities commonly occur when input isn't sanitized.
- Lack of patching indicates the vulnerable function remains unmodified in all versions.