VYPR
← All advisories
Critical severityNVD Advisory· Published Apr 2, 2020· Updated Aug 4, 2024

CVE-2020-7629

CVE-2020-7629

Description

install-package through 0.4.0 is vulnerable to command injection via the options argument, allowing arbitrary command execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

install-package through 0.4.0 is vulnerable to command injection via the options argument, allowing arbitrary command execution.

Vulnerability

Analysis

CVE-2020-7629 affects the npm package install-package versions up to 0.4.0. The vulnerability is a command injection flaw in the package's functionality for installing Node modules. The root cause is the lack of sanitization on the options argument passed to the module. An attacker can control this input, and due to insufficient validation, arbitrary system commands can be injected and executed [1][2].

Exploitation

The attack surface is the install-package API when called with a user-controlled options parameter. As demonstrated in the Snyk advisory, a proof of concept uses root("", "& touch Song") to execute the touch command. Exploitation requires no authentication and can be triggered by any application that passes unsanitized user input to this package [1].

Impact

A successful attack allows an unauthenticated attacker to execute arbitrary commands in the context of the application or server, leading to potential full system compromise, data exfiltration, or further lateral movement within the network [1][2].

Mitigation

The vulnerability is fixed in version 0.4.1 or higher of install-package. Users should upgrade immediately. There is no indication that this CVE is listed in the Known Exploited Vulnerabilities (KEV) catalog [1].

References
  1. Snyk Vulnerability Database | Snyk
  2. NVD - CVE-2020-7629

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
install-packagenpm
<= 0.4.0

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The `install-package` package passes the `options` argument unsanitized into an OS command, enabling arbitrary command injection."

Attack vector

An attacker can inject arbitrary OS commands by supplying a crafted `options` object to the `install-package` function. Because the package does not neutralize special elements in the `options` argument before constructing a shell command, any command embedded in the options will be executed on the host system. This is a classic OS Command Injection flaw [CWE-78]. The attack requires no special privileges beyond the ability to pass arguments to the vulnerable function.

Affected code

The vulnerability resides in the `install-package` npm package, specifically in `index.js` around line 82, where the `options` argument is passed unsanitized into an OS command execution call. The advisory points to this line as the injection point.

What the fix does

The advisory does not include a patch diff, but the recommended remediation is to sanitize or validate the `options` argument before it is used to construct an OS command. Without proper neutralization of shell metacharacters, an attacker can break out of the intended command and execute arbitrary code. The fix should involve either escaping special characters or avoiding shell execution entirely by using safer APIs.

Preconditions

  • inputThe attacker must be able to supply a `options` argument to the `install-package` function, typically via a crafted API call or dependency configuration.
  • authNo authentication or special privileges are required beyond the ability to invoke the vulnerable function.

Generated on May 30, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.