N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-jcgr-9698-82jx

EPSS Score

CWE

CWE-77

Published

5/28/2021

Updated

1/9/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-jcgr-9698-82jx

GHSA-jcgr-9698-82jx:
Improper Neutralization of Special Elements used in a Command ('Command Injection') in @floffah/build

Impact

If you are using the esbuild target or command you are at risk of code/option injection. Attackers can use the command line option to maliciously change your settings in order to damage your project.

Patches

The problem has been patched in v1.0.0 as it uses a proper method to pass configs to esbuild/estrella.

Workarounds

There is no work around. You should update asap.

Notes

This notice is mainly just to make sure people update to the latest version. This isn't that bad, but should encourage you to update.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-jcgr-9698-82jx

EPSS Score

CWE

CWE-77

Published

5/28/2021

Updated

1/9/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@floffah/build	npm	< 1.0.0	1.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper command construction when passing options to esbuild. While exact code changes aren't visible, the advisory explicitly states the root cause was insecure config.php passing replaced by proper array-based argument handling in v1.0.0. The most likely vulnerable points are: 1) Direct esbuild execution functions using string-based command assembly 2) CLI entry points processing user inputs. These would appear in runtime traces during command injection attempts as they handle user-provided build parameters before vulnerable command assembly occurs.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t I* you *r* usin* t** *s*uil* t*r**t or *omm*n* you *r* *t risk o* *o**/option inj**tion. *tt**k*rs **n us* t** *omm*n* lin* option to m*li*iously ***n** your s*ttin*s in or**r to **m*** your proj**t. ### P*t***s T** pro*l*m **s ***n p*t**

Reasoning

T** vuln*r**ility st*ms *rom improp*r *omm*n* *onstru*tion w**n p*ssin* options to *s*uil*. W*il* *x**t *o** ***n**s *r*n't visi*l*, t** **visory *xpli*itly st*t*s t** root **us* w*s ins**ur* `*on*i*.p*p` p*ssin* r*pl**** *y prop*r *rr*y-**s** *r*um*

N/A

Basic Information

Concerned about an active attack path?

GHSA-jcgr-9698-82jx: Improper Neutralization of Special Elements used in a Command ('Command Injection') in @floffah/build

Impact

Patches

Workarounds

Notes

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

GHSA-jcgr-9698-82jx:
Improper Neutralization of Special Elements used in a Command ('Command Injection') in @floffah/build

Vulnerability Intelligence
Miggo AI