CVE-2020-7627
Description
CVE-2020-7627 describes a command injection vulnerability in node-key-sender through v1.0.11, allowing arbitrary command execution via the arrParams argument in the execute() function.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2020-7627 describes a command injection vulnerability in node-key-sender through v1.0.11, allowing arbitrary command execution via the arrParams argument in the execute() function.
Vulnerability
Description node-key-sender is a Node.js module that sends keyboard events to the operating system. Versions up to and including 1.0.11 are vulnerable to command injection due to insufficient sanitization of user-controlled input passed to the arrParams argument in the execute() function. The issue exists in the key-sender.js file at line 117, where unsanitized parameters are directly passed to a system command [1][2][3].
Attack
Vector The vulnerability is triggered when an attacker supplies a malicious value to the arrParams parameter. For example, providing an array like ["&touch", "Song"] results in the injected &touch command being executed along with the intended keyboard event function. No authentication is required to exploit this; any application using the vulnerable version of the library and allowing user-controlled input to reach this function is at risk [1].
Impact
Successful exploitation allows an attacker to execute arbitrary operating system commands with the same privileges as the Node.js process. This can lead to complete compromise of the application and potentially the underlying system, depending on the runtime environment [1][2].
Mitigation
As of the publication date, no patched version of node-key-sender has been released. The only recommended mitigation is to avoid using this package in production or to replace it with an alternative that does not expose command injection vulnerabilities [1]. The vulnerability is publicly documented and a proof-of-concept has been provided, increasing the risk of active exploitation.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
node-key-sendernpm | <= 1.0.11 | — |
Affected products
2- node-key-sender/node-key-senderdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the `execute()` function allows OS command injection via the `arrParams` argument."
Attack vector
An attacker can supply a malicious `arrParams` argument to the `execute()` function. Because the input is not neutralized, special shell characters in the argument are interpreted by the operating system, enabling arbitrary command execution. The attack requires no authentication and can be triggered remotely if the application passes user-controlled data to this function.
Affected code
The vulnerability resides in the `execute()` function within `key-sender.js` at line 117. The `arrParams` argument is passed unsanitized into an OS command, allowing injection of arbitrary commands.
What the fix does
The advisory does not include a patch diff. The recommended remediation is to sanitize or escape the `arrParams` input before passing it to the OS command, or to avoid constructing shell commands from user-controlled data entirely. Without a published fix, users should upgrade to a patched version if one becomes available or apply input validation as a workaround.
Preconditions
- inputThe application must pass attacker-controlled data to the `arrParams` argument of the `execute()` function.
Generated on May 30, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-4xrw-wvmq-8jmhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-7627ghsaADVISORY
- github.com/garimpeiro-it/node-key-sender/blob/master/key-sender.jsmitrex_refsource_MISC
- github.com/garimpeiro-it/node-key-sender/blob/master/key-sender.jsghsaWEB
- snyk.io/vuln/SNYK-JS-NODEKEYSENDER-564261ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.