Description
Google-it is a Node.js package which allows its users to send search queries to Google and receive the results in a JSON format. When using the ‘Open in browser’ option in versions up to 1.6.2, google-it will unsafely concat the result’s link retrieved from google to a shell command, potentially exposing the server to RCE.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 1.6.2
References
- GHSA-7xhv-mpjw-422f
- advisory.checkmarx.net
- CVE-2021-34083
- CWE-74
- CWE-78
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- lobe-chat has an Open Redirect - CVE-2025-59426
- Cross-site Scripting in cesium - CVE-2023-48094
- Command Injection in node-rules - Vulnerability
- Cross-site Scripting in epubjs - CVE-2021-33040
- Tags:
- npm
- google-it
Anything's wrong? Let us know Last updated on January 27, 2023