Command Injection
Description
This affects all versions of package corenlp-js-prefab. The injection point is located in line 10 in 'index.js.' It depends on a vulnerable package 'corenlp-js-interface.' Vulnerability can be exploited with the following PoC:
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
All versions of corenlp-js-prefab are vulnerable to command injection via the process function, allowing arbitrary command execution.
## Vulnerability corenlp-js-prefab is a deprecated package that wraps corenlp-js-interface. All versions are vulnerable to command injection due to unsanitized input passed to the corenlp-js-interface dependency. The injection point is in line 10 of 'index.js' [1].
Exploitation
An attacker can exploit this by providing a crafted string to the process function. The official PoC demonstrates this with the input "') touch JHU # ', which executes arbitrary commands [2]. No authentication is required if the package is used in a server-side application.
Impact
Successful exploitation allows an attacker to execute arbitrary commands on the host system, potentially leading to full compromise.
Mitigation
The package is deprecated and no fix is available. Users should migrate to alternative packages to mitigate the risk [1][2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
corenlp-js-prefabnpm | <= 1.0.1 | — |
Affected products
4- Range: all
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-h73g-8g27-xxcxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-28439ghsaADVISORY
- snyk.io/vuln/SNYK-JS-CORENLPJSPREFAB-1050434ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.