VYPR
← All advisories
Critical severityGHSA Advisory· Published Apr 6, 2020· Updated Aug 4, 2024

CVE-2020-7634

CVE-2020-7634

Description

heroku-addonpool through 0.1.15 is vulnerable to command injection via the app parameter in the HerokuAddonPool function.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

heroku-addonpool through 0.1.15 is vulnerable to command injection via the app parameter in the HerokuAddonPool function.

heroku-addonpool versions prior to 0.1.15 contain a command injection vulnerability in the exported function HerokuAddonPool(id, app, opt). The app parameter is passed unsanitized to child_process.exec or similar, allowing arbitrary command execution [1][2]. The vulnerability exists because the input is not validated before being used in a shell command [4].

An attacker can exploit this by controlling the app parameter when calling HerokuAddonPool. A proof-of-concept (PoC) demonstrates that passing "& touch JHU" as the app parameter results in command execution [4]. No authentication is required beyond the ability to call the function with attacker-controlled input.

Successful exploitation allows an attacker to execute arbitrary system commands with the privileges of the Node.js process, leading to full compromise of the application and its environment. This could result in data theft, service disruption, or further lateral movement.

The issue has been patched in version 0.1.16, which adds a regular expression check to validate the app name [3]. Users should upgrade to heroku-addonpool@0.1.16 or later to mitigate the vulnerability.

References
  1. NVD - CVE-2020-7634
  2. heroku-addonpool/index.js at master · nodef/heroku-addonpool
  3. fix Command Injection vulnerability · nodef/heroku-addonpool@b1a5b31
  4. Snyk Vulnerability Database | Snyk

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
heroku-addonpoolnpm
< 0.1.160.1.16

Affected products

2

Patches

1
b1a5b316473a

fix Command Injection vulnerability

https://github.com/nodef/heroku-addonpoolSubhajit SahuFeb 4, 2020via ghsa
commit
4 files changed · +12 10
  • index.js+5 0 modified
    @@ -2,6 +2,10 @@
 const cp = require('child_process');
 const _camel = require('lodash.camelcase');
 
+const RAPP = /\^[\w-]+$/;
+
+
+
 module.exports = function HerokuAddonPool(id, app, opt) {
   const unused = [];
   const supply = new Map();
@@ -10,6 +14,7 @@ module.exports = function HerokuAddonPool(id, app, opt) {
   opt = opt||{};
   opt.config = opt.config||/\S*/g;
   opt.log = opt.log||false;
+  if(!RAPP.test(app)) throw new Error('Bad app name');
 
   const log = function(msg) {
     if(opt.log) console.log(`${id}.${msg}`);
  • package.json+6 5 modified
    @@ -1,28 +1,29 @@
 {
   "name": "heroku-addonpool",
-  "version": "0.1.15",
+  "version": "0.1.16",
   "description": "Manage Addon Pool of an App in Heroku.",
   "main": "index.js",
   "scripts": {
     "test": "node test"
   },
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/wolfram77/node-herokuaddonpool.git"
+    "url": "git+https://github.com/nodef/heroku-addonpool.git"
   },
   "keywords": [
+    "manage",
     "heroku",
     "addon",
     "pool"
   ],
   "author": "wolfram77@gmail.com",
   "license": "MIT",
   "bugs": {
-    "url": "https://github.com/wolfram77/node-herokuaddonpool/issues"
+    "url": "https://github.com/nodef/heroku-addonpool/issues"
   },
-  "homepage": "https://github.com/wolfram77/node-herokuaddonpool#readme",
+  "homepage": "https://github.com/nodef/heroku-addonpool#readme",
   "dependencies": {
-    "heroku-clisetup": "^0.1.5",
+    "heroku-clisetup": "^0.1.6",
     "lodash.camelcase": "^4.3.0"
   }
 }
  • package-lock.json+1 1 modified
    @@ -1,6 +1,6 @@
 {
   "name": "heroku-addonpool",
-  "version": "0.1.15",
+  "version": "0.1.16",
   "lockfileVersion": 1,
   "requires": true,
   "dependencies": {
  • README.md+0 4 modified
    @@ -1,7 +1,3 @@
-# heroku-addonpool
-
-[![NPM](https://nodei.co/npm/heroku-addonpool.png)](https://nodei.co/npm/heroku-addonpool/)
-
 Manage Addon Pool of an App in Heroku.
 
 ```bash

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.