CVE-2020-7613
Description
clamscan through 1.2.0 is vulnerable to Command Injection. It is possible to inject arbitrary commands as part of the _is_clamav_binary function located within Index.js. It should be noted that this vulnerability requires a pre-requisite that a folder should be created with the same command that will be chained to execute. This lowers the risk of this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
clamscan through 1.2.0 allows command injection via the _is_clamav_binary function, requiring an attacker-created folder with the command name.
Vulnerability
Description
clamscan, a Node.js library for file scanning with ClamAV, contains a command injection vulnerability in versions up to and including 1.2.0. The flaw resides in the _is_clamav_binary function within index.js, where unsanitized input is passed to a shell command [1][3]. This allows an attacker to inject arbitrary commands.
Exploitation
Prerequisites
Exploitation requires a pre-condition: an attacker must first create a folder whose name matches the command to be injected. This lowers the likelihood of exploitation but does not eliminate the risk [2][3]. The vulnerability can be triggered when the library attempts to verify the existence of a ClamAV binary.
Impact
Successful command injection could allow an attacker to execute arbitrary commands on the server with the privileges of the Node.js process, potentially leading to full system compromise, data exfiltration, or further lateral movement.
Mitigation
Users should upgrade to clamscan version 1.2.0 or later, which includes a fix for this vulnerability [1][2]. No workarounds are documented; updating is the recommended course of action.
- GitHub - kylefarris/clamscan: A robust ClamAV virus scanning library supporting scanning files, directories, and streams with local sockets, local/remote TCP, and local clamscan/clamdscan binaries (with failover).
- huntr.dev - Command Injection Fix by huntr-helper · Pull Request #45 · kylefarris/clamscan
- NVD - CVE-2020-7613
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
clamscannpm | < 1.3.0 | 1.3.0 |
Affected products
3- clamscan/clamscandescription
Patches
15f557c970817Merge pull request #45 from 418sec/master
1 file changed · +2 −2
index.js+2 −2 modified@@ -491,8 +491,8 @@ class NodeClam { try { await fs_access(path, fs.constants.R_OK); - - const {stdout} = await cp_exec(version_cmds[scanner]); + version_cmds_exec = version_cmds[scanner].split(' '); + const {stdout} = await cp_execfile(version_cmds_exec[0], [version_cmds_exec[1]]); if (stdout.toString().match(/ClamAV/) === null) { if (this.settings.debug_mode) console.log(`${this.debug_label}: Could not verify the ${scanner} binary.`); return false;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-5v25-xr56-phphghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-7613ghsaADVISORY
- github.com/kylefarris/clamscan/blob/master/index.jsghsax_refsource_MISCWEB
- github.com/kylefarris/clamscan/commit/5f557c970817fe8c578ec3f7ad3bcbcef4cf5538ghsaWEB
- github.com/kylefarris/clamscan/pull/45ghsaWEB
- huntr.dev/bounties/1-npm-clamscanghsaWEB
- snyk.io/vuln/SNYK-JS-CLAMSCAN-564113ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.