Skip to content

Command injection in codecov (npm package)

Moderate severity GitHub Reviewed Published Jul 17, 2020 in codecov/codecov-node • Updated Jan 9, 2023

Package

npm codecov (npm)

Affected versions

< 3.7.1

Patched versions

3.7.1

Description

Impact

The upload method has a command injection vulnerability. Clients of the codecov-node library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.

A similar CVE was issued: CVE-2020-7597, but the fix was incomplete. It only blocked &, and command injection is still possible using backticks instead to bypass the sanitizer.

We have written a CodeQL query, which automatically detects this vulnerability. You can see the results of the query on the codecov-node project here.

Patches

This has been patched in version 3.7.1

Workarounds

None, however, the attack surface is low in this case. Particularly in the standard use of codecov, where the module is used directly in a build pipeline, not built against as a library in another application that may supply malicious input and perform command injection.

References

For more information

If you have any questions or comments about this advisory:

References

@drazisil drazisil published to codecov/codecov-node Jul 17, 2020
Reviewed Jul 20, 2020
Published to the GitHub Advisory Database Jul 20, 2020
Last updated Jan 9, 2023

Severity

Moderate

EPSS score

1.600%
(88th percentile)

Weaknesses

CVE ID

CVE-2020-15123

GHSA ID

GHSA-xp63-6vf5-xf3v

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.