CVE-2020-7626
Description
karma-mojo through 1.0.1 is vulnerable to command injection via the config argument, allowing arbitrary command execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
karma-mojo through 1.0.1 is vulnerable to command injection via the config argument, allowing arbitrary command execution.
Vulnerability
Overview
karma-mojo, a Karma plugin that allows running a subset of tests, is vulnerable to command injection in versions through 1.0.1. The config argument received by the reporter is passed to functions without proper sanitization, enabling an attacker to inject arbitrary commands that are executed by the system shell. The root cause is insufficient input validation on the grep property of the config object, which is directly concatenated into a command string [1][2][3].
Exploitation
An attacker can control the config object passed to the plugin, specifically the grep field. By providing a malicious string like "& touch Song", the injected command will be executed when the plugin constructs a shell command. The proof of concept provided by Snyk demonstrates that no authentication or special privileges are required beyond the ability to influence the configuration parameters passed to karma-mojo [1].
Impact
Successful exploitation allows an attacker to execute arbitrary commands on the system running karma-mojo. This could lead to full compromise of the testing environment, data exfiltration, or lateral movement within the CI/CD pipeline. The attack surface is increased when the vulnerable package is used in automated test suites that accept external configuration.
Mitigation
As of the publication date, there is no patched version available for karma-mojo. The project appears to be abandoned or unmaintained. The only recommended mitigation is to avoid using this package or to fork it and implement proper input sanitization. Users should also ensure that untrusted input cannot influence the configuration passed to the plugin [1][2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
karma-mojonpm | <= 1.0.1 | — |
Affected products
2- karma-mojo/karma-mojodescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `config` argument is passed unsanitized into an OS command execution, allowing shell metacharacters to inject arbitrary commands."
Attack vector
An attacker can inject arbitrary OS commands by supplying a malicious `config` argument to `karma-mojo`. Because the package does not neutralize special shell metacharacters in this input, the crafted value is interpreted as part of a command string rather than as a plain configuration parameter [CWE-78]. The attack requires no special privileges beyond the ability to pass a `config` value to the tool.
Affected code
The vulnerability exists in the `karma-mojo` package, specifically in `index.js` at line 100 [ref_id=1]. The `config` argument is passed unsanitized into an OS command execution context.
What the fix does
No patch is shown in the provided bundle. The advisory [ref_id=1] links to the vulnerable source line (`index.js#L100`) and to a Snyk advisory, but does not include a fix commit or remediation code. Users should upgrade to a patched version if one becomes available, or avoid passing untrusted input to the `config` argument.
Preconditions
- inputAttacker must be able to supply a `config` argument value to karma-mojo
Generated on May 30, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-pf8j-vhg8-xmc3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-7626ghsaADVISORY
- github.com/amireh/karma-mojo/blob/master/index.jsmitrex_refsource_MISC
- github.com/amireh/karma-mojo/blob/master/index.jsghsaWEB
- snyk.io/vuln/SNYK-JS-KARMAMOJO-564260ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.