Description
install-package through 0.4.0 is vulnerable to Command Injection. It allows execution of arbitrary commands via the options argument.
Remediation
References
https://github.com/1000ch/install-package/blob/master/index.js#L82%2C
https://snyk.io/vuln/SNYK-JS-INSTALLPACKAGE-564267
Related Vulnerabilities
CVE-2020-7643 Vulnerability in npm package paypal-adaptive
CVE-2022-36915 Vulnerability in maven package org.jenkins-ci.plugins:android-signing
CVE-2020-28433 Vulnerability in npm package node-latex-pdf
CVE-2023-37962 Vulnerability in maven package io.jenkins.plugins:benchmark-evaluator
CVE-2020-7641 Vulnerability in npm package grunt-util-property