Command Injection
Description
A command injection in node-notifier before 9.0.0 allows arbitrary command execution on Linux by passing an unsanitized array as options.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A command injection in node-notifier before 9.0.0 allows arbitrary command execution on Linux by passing an unsanitized array as options.
Overview
The Node.js module node-notifier, used for sending native desktop notifications, is vulnerable to command injection in versions before 9.0.0. The vulnerability stems from insufficient sanitization of the options parameter when it is passed as an array. On Linux systems, this allows an attacker to inject arbitrary shell commands through specially crafted input strings [1][3].
Exploitation
To exploit this vulnerability, an attacker must be able to influence the arguments passed to node-notifier's methods, typically via user-controlled input that ends up in the options array. No authentication is required beyond normal application access, and the attack vector is network-based or local, depending on how the library is used. The library does not properly sanitize array elements before they are used in constructing shell commands, enabling command injection [1][2].
Impact
Successful exploitation permits arbitrary command execution with the privileges of the Node.js process. This can lead to full system compromise, data exfiltration, or lateral movement within the infrastructure. The vulnerability is rated with a high CVSS score, reflecting the severity of remote code execution potential [3].
Mitigation
Users should upgrade node-notifier to version 5.4.5, 8.0.2, or 9.0.1 or later, as these releases include the fix. The patch was committed in commit 5d62799 and ensures proper sanitization of array inputs [2]. The vulnerability is publicly known and was reported by Alessio Della Libera (d3lla) [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
node-notifiernpm | < 8.0.1 | 8.0.1 |
Affected products
1Patches
11 file changed · +1 −1
package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "node-notifier", - "version": "8.0.0", + "version": "8.0.1", "description": "A Node.js module for sending notifications on native Mac, Windows (post and pre 8) and Linux (or Growl as fallback)", "main": "index.js", "scripts": {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-5fw9-fq32-wv5pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-7789ghsaADVISORY
- github.com/mikaelbr/node-notifier/blob/master/lib/utils.js%23L303ghsax_refsource_MISCWEB
- github.com/mikaelbr/node-notifier/commit/5d62799dab88505a709cd032653b2320c5813fceghsaWEB
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1050371ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-NODENOTIFIER-1035794ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.