CVE-2013-7381
Description
libnotify before 1.0.4 for Node.js contains a command injection vulnerability allowing remote code execution via crafted characters in the notify function.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
libnotify before 1.0.4 for Node.js contains a command injection vulnerability allowing remote code execution via crafted characters in the notify function.
Vulnerability
CVE-2013-7381 is a command injection vulnerability in the libnotify Node.js module versions prior to 1.0.4. The libnotify.notify() function does not properly sanitize user-supplied input, allowing attackers to inject arbitrary commands through unspecified characters [1][2].
Exploitation
An attacker can exploit this by providing specially crafted input to the notify function, which is typically used to display desktop notifications. No authentication is required, and the vulnerability can be triggered remotely via any application that uses the vulnerable library [2].
Impact
Successful exploitation allows a remote attacker to execute arbitrary commands on the host system, potentially leading to full compromise of the application and underlying server [2].
Mitigation
The vulnerability is fixed in version 1.0.4. Users should update the node-libnotify package immediately. The issue was disclosed in 2014 through the Node Security Project advisories [3][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
libnotifynpm | < 1.0.4 | 1.0.4 |
Affected products
2- Node.js/libnotifydescription
Patches
1dfe7801d73a0Merge pull request #4 from nealpoole/exec-fix
1 file changed · +4 −5
lib/libnotify.js+4 −5 modified@@ -55,18 +55,17 @@ exports.binVersion = function(callback) { exports.notify = function(msg, options, callback) { var image, - args = ['notify-send','"' + msg + '"'], + args = [msg], options = options || {} this.binVersion(function(err, version){ if (err) return callback(err) - if (image = options.image) args.push('-i ' + image) + if (image = options.image) args.push('-i', image) if (options.time) args.push('-t', options.time) if (options.category) args.push('-c', options.category) if (options.urgency) args.push('-u', options.urgency) if (options.title) { - args.shift() - args.unshift('notify-send', '"'+ options.title +'"') + args.unshift(options.title) } - child_process.exec(args.join(' '), callback) + child_process.execFile('notify-send', args, {}, callback) }) }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-6898-wx94-8jq8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2013-7381ghsaADVISORY
- www.openwall.com/lists/oss-security/2014/05/13/1ghsax_refsource_MISCWEB
- www.openwall.com/lists/oss-security/2014/05/15/2ghsax_refsource_MISCWEB
- github.com/mytrile/node-libnotify/commit/dfe7801d73a0dda10663a0ff3d0ec8b4d5f0d448ghsax_refsource_CONFIRMWEB
- nodesecurity.io/advisories/libnotify_potential_command_injection_in_libnotify.notifymitrex_refsource_MISC
- www.npmjs.com/advisories/20ghsaWEB
News mentions
0No linked articles in our index yet.