Description
Google-it is a Node.js package which allows its users to send search queries to Google and receive the results in a JSON format. When using the ‘Open in browser’ option in versions up to 1.6.2, google-it will unsafely concat the result’s link retrieved from google to a shell command, potentially exposing the server to RCE.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 1.6.2
References
- GHSA-7xhv-mpjw-422f
- advisory.checkmarx.net
- CVE-2021-34083
- CWE-74
- CWE-78
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- react-dev-utils OS Command Injection in function `getProcessForPort` - CVE-2021-24033
- Command injection in launchpad - CVE-2021-23330
- Command injection in github-todos - CVE-2021-44684
- Command Injection Vulnerability - CVE-2021-21315
- Tags:
- npm
- google-it
Anything's wrong? Let us know Last updated on January 27, 2023