Critical severity9.8NVD Advisory· Published Jul 30, 2018· Updated Jun 17, 2026
CVE-2018-3772
CVE-2018-3772
Description
Concatenating unsanitized user input in the whereis npm module < 0.4.1 allowed an attacker to execute arbitrary commands. The whereis module is deprecated and it is recommended to use the which npm module instead.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
whereisnpm | < 0.4.1 | 0.4.1 |
Affected products
2- https://github.com/vvo/whereisv5Range: >= 0.4.1
Patches
Vulnerability mechanics
References
5- hackerone.com/reports/319476nvdExploitThird Party AdvisoryWEB
- github.com/advisories/GHSA-wjr4-2jgw-hmv8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-3772ghsaADVISORY
- github.com/vvo/node-whereis/commit/0f64e3780235004fb6e43bfd153ea3e0e210ee2bghsaWEB
- www.npmjs.com/advisories/604ghsaWEB
News mentions
0No linked articles in our index yet.