Command Injection
Description
Command injection in mversion package allows remote code execution via unsanitized tagName input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Command injection in mversion package allows remote code execution via unsanitized tagName input.
CVE-2020-7688 is a command injection vulnerability in the mversion npm package, a cross-packaging manager version handler. The flaw exists because the tagName parameter is passed directly to the exec function without sanitization, allowing arbitrary shell commands to be injected [1][2].
An attacker can exploit this by providing a malicious tagName value when calling the mversion.update() method. The proof of concept demonstrates appending a semicolon followed by a command (e.g., ; touch hbkhan) to the tagName, which gets executed in the shell [2][3]. No authentication is required if the attacker can control the input to the vulnerable function.
Successful exploitation leads to remote code execution (RCE) on the system running the vulnerable version of mversion. This could allow an attacker to execute arbitrary commands, potentially compromising the host environment [3].
The vulnerability affects mversion versions prior to 2.0.1. The fix was implemented in commit b7a8b32 by escaping the tagName with escapeQuotes() before passing it to exec [4]. Users should upgrade to version 2.0.1 or later. No workarounds are mentioned.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mversionnpm | < 2.0.1 | 2.0.1 |
Affected products
1Patches
1b7a8b32600e6Fix Remote Command Execution
1 file changed · +1 −1
lib/git.js+1 −1 modified@@ -61,7 +61,7 @@ module.exports.commit = function (files, message, newVer, tagName, callback) { function (done) { cp.exec( - [gitApp, "tag", "-a", tagName, "-m", message].join(" "), + [gitApp, "tag", "-a", escapeQuotes(tagName), "-m", message].join(" "), gitExtra, done );
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-6m8p-4fxj-pgc2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-7688ghsaADVISORY
- github.com/418sec/huntr/pull/102ghsax_refsource_MISCWEB
- github.com/mikaelbr/mversion/commit/b7a8b32600e60759a7ad3921ec4a2750bf173482ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-MVERSION-573174ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.