-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from unsanitized user input being passed to child_process.exec in the Compass compilation process. The reproduction PoC demonstrates that user-controlled filenames (via the 'files' array parameter) are directly interpolated into the executed command string. This matches the CWE-77 pattern of command injection via improper neutralization, and the advisory explicitly calls out child_process as the vulnerable component. The compileSass function is the primary exposed interface in the package, making it the logical location for the vulnerable command execution.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| broccoli-compass | npm | <= 0.2.4 |