OS Command Injection in ljharb/npm-lockfile
Description
An OS Command Injection vulnerability in npm-lockfile v2.0.3 and v2.0.4 allows arbitrary command execution via the only option.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An OS Command Injection vulnerability in npm-lockfile v2.0.3 and v2.0.4 allows arbitrary command execution via the `only` option.
Vulnerability
The getLockfile function in npm-lockfile versions 2.0.3 and 2.0.4 is vulnerable to OS Command Injection. The only option parameter is not sanitized before being passed to shell commands, enabling an attacker to inject arbitrary commands. The vulnerable code path is reachable when a user provides a malicious only value to the function.
Exploitation
An attacker needs to supply a crafted only parameter containing shell metacharacters (e.g., ; or &&) when calling the getLockfile API. No special network position or authentication is required; the exploitation occurs locally if the library processes untrusted input. The attacker's input is directly interpolated into a shell command without validation.
Impact
Successful exploitation allows the attacker to execute arbitrary OS commands with the privileges of the process running npm-lockfile. This can lead to full compromise of the affected system, including data exfiltration, file modification, or further lateral movement [1][4].
Mitigation
The fix is available in the commit bfdb84813260f0edbf759f2fde1e8c816c1478b8, which rejects any only value that is not exactly "prod" or "production" [3]. Affected users should update to a version containing this fix (post-v2.0.4). The repository has been archived and is read-only as of March 2026; users on impacted versions should migrate to an alternative or fork that includes the patch [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
npm-lockfilenpm | >= 2.0.3, < 2.0.5 | 2.0.5 |
Affected products
2- ljharb/ljharb/npm-lockfilev5Range: 2.0.3
Patches
1bfdb84813260[Fix] reject invalid `only` values
2 files changed · +4 −0
.eslintrc+1 −0 modified@@ -7,6 +7,7 @@ "consistent-return": 1, "func-name-matching": 0, "max-nested-callbacks": 0, + "max-lines-per-function": 0, "sort-keys": 0, }, }
getLockfile.js+3 −0 modified@@ -23,6 +23,9 @@ module.exports = function getLockfile(packageFile, date, { if (typeof date !== 'undefined' && !new Date(date).getTime()) { return Promise.reject(colors.red(`\`date\` must be a valid Date format if provided; got ${inspect(date)}`)); } + if (only && only !== 'prod' && only !== 'production') { + return Promise.reject(colors.red('`only`, when provided, must be "prod" or "production"')); + } const tmpDirP = getProjectTempDir({ npmNeeded, logger }); const npmRC = path.join(path.dirname(packageFile), '.npmrc'); const copyPkg = tmpDirP.then((tmpDir) => {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-cr6m-62pq-hmqhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-0841ghsaADVISORY
- github.com/ljharb/npm-lockfile/commit/bfdb84813260f0edbf759f2fde1e8c816c1478b8ghsax_refsource_MISCWEB
- huntr.dev/bounties/4f806dc9-2ecd-4e79-997e-5292f1bea9f1ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.