VYPR
← All advisories
High severityNVD Advisory· Published Feb 17, 2020· Updated Aug 4, 2024

CVE-2020-7597

CVE-2020-7597

Description

Codecov-node npm module before 3.6.5 suffers from command injection via the gcov-root argument, allowing remote code execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Codecov-node npm module before 3.6.5 suffers from command injection via the gcov-root argument, allowing remote code execution.

This vulnerability is a command injection in the codecov-node npm package, which is used to upload coverage reports to Codecov. The gcov-root argument is passed unsanitized to the exec function, allowing an attacker to execute arbitrary commands on the host. This issue is an incomplete fix of CVE-2020-7596 [1][2].

Exploitation requires the attacker to control the gcov-root argument, typically supplied via command-line options or environment variables in a CI pipeline. No authentication is needed if the attacker can influence the upload arguments. A proof of concept by JHU System Security Lab uses a value containing an ampersand (&) to chain commands [3].

Successful exploitation leads to arbitrary command execution on the host running the codecov-node module. This can compromise the CI environment, expose secrets, and allow lateral movement. The impact is critical (CVSS 9.8) due to the high privilege context often associated with coverage upload scripts [1][3].

The vulnerability is fixed in version 3.6.5. The fix introduces a sanitizeVar function that strips ampersands from the input before execution. Users are strongly advised to upgrade to the latest version to mitigate the risk [2][3].

References
  1. NVD - CVE-2020-7597
  2. [CE-1330] Escaping args (#167) · codecov/codecov-node@02cf13d
  3. Snyk Vulnerability Database | Snyk

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
codecovnpm
< 3.6.53.6.5

Affected products

2
  • codecov-node/codecov-nodedescription
  • ghsa-coords
    pkg:npm/codecov
    Range: < 3.6.5

Patches

1
02cf13d8b93a

[CE-1330] Escaping args (#167)

https://github.com/codecov/codecov-nodeJoe BecherFeb 4, 2020via ghsa
commit
5 files changed · +18 13
  • .gitignore+1 0 modified
    @@ -27,3 +27,4 @@ node_modules
 
 lib-cov/
 coverage.json
+.vs-code
  • lib/codecov.js+10 6 modified
    @@ -5,7 +5,6 @@ var urlgrey = require('urlgrey')
 var jsYaml = require('js-yaml')
 var walk = require('ignore-walk')
 var execSync = require('child_process').execSync
-var validator = require('validator')
 
 var detectProvider = require('./detect')
 
@@ -394,13 +393,13 @@ var upload = function(args, on_success, on_failure) {
       if (!isWindows) {
         gcov =
           'find ' +
-          (args.options['gcov-root'] || root) +
+          (sanitizeVar(args.options['gcov-root']) || root) +
           " -type f -name '*.gcno' " +
           gcg +
           ' -exec ' +
-          (validator.escape(args.options['gcov-exec']) || 'gcov') +
+          (sanitizeVar(args.options['gcov-exec']) || 'gcov') +
           ' ' +
-          (validator.escape(args.options['gcov-args']) || '') +
+          (sanitizeVar(args.options['gcov-args']) || '') +
           ' {} +'
       } else {
         // @TODO support for root
@@ -409,9 +408,9 @@ var upload = function(args, on_success, on_failure) {
           'for /f "delims=" %g in (\'dir /a-d /b /s *.gcno ' +
           gcg +
           "') do " +
-          (args.options['gcov-exec'] || 'gcov') +
+          (sanitizeVar(args.options['gcov-exec']) || 'gcov') +
           ' ' +
-          (args.options['gcov-args'] || '') +
+          (sanitizeVar(args.options['gcov-args']) || '') +
           ' %g'
       }
       debug.push(gcov)
@@ -556,7 +555,12 @@ var upload = function(args, on_success, on_failure) {
   }
 }
 
+function sanitizeVar(arg) {
+  return arg.replace(/&/g, '')
+}
+
 module.exports = {
+  sanitizeVar: sanitizeVar,
   upload: upload,
   version: version,
   sendToCodecovV2: sendToCodecovV2,
  • package.json+1 2 modified
    @@ -35,8 +35,7 @@
     "ignore-walk": "3.0.3",
     "js-yaml": "3.13.1",
     "teeny-request": "6.0.1",
-    "urlgrey": "0.4.4",
-    "validator": "12.2.0"
+    "urlgrey": "0.4.4"
   },
   "devDependencies": {
     "eslint": "^5.16.0",
  • package-lock.json+0 5 modified
    @@ -6148,11 +6148,6 @@
         "spdx-expression-parse": "^3.0.0"
       }
     },
-    "validator": {
-      "version": "12.2.0",
-      "resolved": "https://registry.npmjs.org/validator/-/validator-12.2.0.tgz",
-      "integrity": "sha512-jJfE/DW6tIK1Ek8nCfNFqt8Wb3nzMoAbocBF6/Icgg1ZFSBpObdnwVY2jQj6qUqzhx5jc71fpvBWyLGO7Xl+nQ=="
-    },
     "verror": {
       "version": "1.10.0",
       "resolved": "https://registry.npmjs.org/verror/-/verror-1.10.0.tgz",
  • test/index.test.js+6 0 modified
    @@ -276,4 +276,10 @@ describe('Codecov', function() {
     expect(res.query.yaml).toBe(process.cwd() + '/foo.yml')
     mockFs.restore()
   })
+
+  it('can sanitize inputs', function() {
+    expect(codecov.sanitizeVar('real & run unsafe & command')).toEqual(
+      'real  run unsafe  command'
+    )
+  })
 })

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.