CVE-2020-7623
Description
jscover prior to 1.0.0 allows unauthenticated command injection via the unsanitized source argument, potentially leading to remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
jscover prior to 1.0.0 allows unauthenticated command injection via the unsanitized `source` argument, potentially leading to remote code execution.
Vulnerability
Overview
The jscover package, a Node.js wrapper for JSCover, is vulnerable to command injection in all versions prior to and including 1.0.0. The issue exists in the lib/jscover.js file where the source argument passed to the command line tool is directly incorporated into a shell command without any sanitization or escaping [1][2]. This allows an attacker who can control the source value to inject arbitrary operating system commands.
Exploitation
Prerequisites
Attackers do not need authentication; the vulnerability can be triggered simply by passing malicious input to the source parameter. The exact attack vector depends on how jscover is invoked in the target environment. If the package is used programmatically with user-supplied data, or if a wrapper script exposes the source argument via a web interface or command line option, exploitation is straightforward [1].
Impact
Successful command injection grants the attacker the ability to execute arbitrary commands on the target server with the privileges of the running Node.js process. This can lead to full system compromise, data exfiltration, installation of malware, or persistent backdoor access [1].
Mitigation
Status
As of the latest advisory, no fix has been released for jscover [1]. The repository is archived and read-only, indicating that the project is no longer maintained. Users should either migrate away from jscover or implement strict input validation and avoid passing untrusted data to the source argument [2][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
jscovernpm | <= 1.0.0 | — |
Affected products
2- jscover/jscoverdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization on the `source` argument allows OS command injection."
Attack vector
An attacker can inject arbitrary OS commands by supplying a malicious `source` argument to the jscover tool [CWE-78]. The input is not neutralized before being used in a shell command, allowing command injection. The attack is triggered through the package's command-line interface or API when the `source` parameter is controlled by the attacker.
Affected code
The vulnerability exists in the `jscover` npm package, specifically in `lib/jscover.js` at line 59 [ref_id=1]. The `source` argument is passed unsanitized into a command execution context.
What the fix does
The advisory does not include a published patch. The recommended remediation is to avoid passing untrusted input to the `source` argument, or to switch to a maintained alternative. Without proper input sanitization or escaping, any user-controlled value in the `source` parameter can lead to arbitrary command execution.
Preconditions
- inputThe attacker must control the `source` argument passed to jscover.
Generated on May 30, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-c5hm-xc74-pqrgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-7623ghsaADVISORY
- github.com/node-modules/jscover/blob/master/lib/jscover.jsmitrex_refsource_MISC
- github.com/node-modules/jscover/blob/master/lib/jscover.jsghsaWEB
- snyk.io/vuln/SNYK-JS-JSCOVER-564250ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.