-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability manifests in the info method which takes a devicePath parameter and passes it unsanitized to execSmart. The code shows direct concatenation of user input into a shell command ("smartctl -i " + devicePath) using exec(). This pattern is vulnerable to command injection as confirmed by: 1) The advisory explicitly naming the info method 2) The Snyk PoC demonstrating injection via this parameter 3) The visible lack of input sanitization or safe execution methods (like execFile with separated arguments) in the code. The execSmart function is a common helper that amplifies this vulnerability across multiple entry points.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| smartctl | npm | <= 1.0.0 |