Description
Google-it is a Node.js package which allows its users to send search queries to Google and receive the results in a JSON format. When using the ‘Open in browser’ option in versions up to 1.6.2, google-it will unsafely concat the result’s link retrieved from google to a shell command, potentially exposing the server to RCE.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 1.6.2
References
- GHSA-7xhv-mpjw-422f
- advisory.checkmarx.net
- CVE-2021-34083
- CWE-74
- CWE-78
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Command Injection Vulnerability - CVE-2021-21315
- Command Injection in lodash (GHSA-35jh-r3h4-6jhm) - CVE-2021-23337
- Command Injection Vulnerability in systeminformation - CVE-2021-21388
- json-logic-js Command Injection vulnerability - CVE-2021-4329
- Tags:
- npm
- google-it
Anything's wrong? Let us know Last updated on January 27, 2023