CVE-2020-7625
Description
op-browser versions below 1.0.9 contain a command injection vulnerability via the url parameter, allowing arbitrary command execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
op-browser versions below 1.0.9 contain a command injection vulnerability via the url parameter, allowing arbitrary command execution.
Vulnerability
Overview The op-browser npm package (versions < 1.0.9) suffers from a command injection vulnerability. The url parameter passed to the open function is not sanitized before being used to construct a shell command, allowing an attacker to inject arbitrary commands. The vulnerable code is located in lib/index.js [3][4].
Exploitation
An attacker can control the url argument (e.g., supplying 'chrome','& touch Song','','') to execute arbitrary commands on the system where the package is used. The attack does not require authentication if the application passes unsanitized user input to the library [1][2].
Impact
Successful exploitation allows an attacker to execute arbitrary commands with the privileges of the Node.js process. This could lead to complete compromise of the application and host system. Proof-of-concept code demonstrates command execution via the touch command [2].
Mitigation
The vulnerability has been addressed in version 1.0.9. Users should upgrade to at least this version immediately. No workaround is available other than ensuring user input is not passed directly to the url parameter [1][2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
op-browsernpm | <= 1.0.9 | — |
Affected products
2- op-browser/op-browserdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"User-supplied input is concatenated into a shell command string and executed via `exec`/`execSync` without sanitization, enabling OS command injection."
Attack vector
An attacker can inject arbitrary OS commands by providing a malicious string as the URL argument to the `open` function [ref_id=2]. The input is concatenated into a shell command without neutralization, so shell metacharacters such as `&` allow command chaining [CWE-78]. For example, passing `'& touch Song'` as the URL causes the `touch` command to execute on the system [ref_id=2]. No authentication or special network position is required; the attacker only needs to control the URL parameter passed to the library.
Affected code
The vulnerable code is in `lib/index.js` at line 75 [ref_id=1]. The `url` function passes user-supplied input directly into a command string that is executed via `exec` or `execSync` without sanitization [ref_id=2].
What the fix does
The fix replaces all uses of `exec` and `execSync` with `execFile` and `execFileSync` [ref_id=2]. Unlike `exec`, `execFile` does not spawn a shell, so shell metacharacters in the input are treated as literal arguments rather than command separators. This prevents an attacker from chaining arbitrary commands through the URL parameter. No other code changes are needed because the root cause was the use of a shell-based execution function.
Preconditions
- inputThe attacker must be able to supply a string value for the URL parameter passed to the `open` function of the op-browser library.
Reproduction
Create a file `poc.js` with the following content:
```js var root = require("op-browser"); root.open('chrome','& touch Song','',''); ```
Run `node poc.js`. After execution, a file named `Song` will be created in the current directory, confirming command injection [ref_id=2].
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-3hq6-rmv7-39vhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-7625ghsaADVISORY
- github.com/hiproxy/open-browser/blob/master/lib/index.jsmitrex_refsource_MISC
- github.com/hiproxy/open-browser/blob/master/lib/index.jsghsaWEB
- github.com/hiproxy/open-browser/pull/3ghsaWEB
- github.com/hiproxy/open-browser/pull/4ghsaWEB
- snyk.io/vuln/SNYK-JS-OPBROWSER-564259ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.