CVE-2023-26129
Description
All versions of the package bwm-ng are vulnerable to Command Injection due to improper input sanitization in the 'check' function in the bwm-ng.js file. Note: To execute the code snippet and potentially exploit the vulnerability, the attacker needs to have the ability to run Node.js code within the target environment. This typically requires some level of access to the system or application hosting the Node.js environment.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
bwm-ng is vulnerable to command injection in the 'check' function due to improper input sanitization, requiring Node.js code execution capability.
Vulnerability
Overview
The bwm-ng package for Node.js is vulnerable to command injection in all versions. The flaw resides in the check function within bwm-ng.js, which fails to properly sanitize user-supplied input. This allows an attacker to inject arbitrary OS commands that are subsequently executed by the application [1][2].
Exploitation
Requirements
To exploit this vulnerability, an attacker must have the ability to execute Node.js code in the target environment. This typically means they already have some level of access to the system or application hosting the Node.js runtime. A proof-of-concept (PoC) demonstrates injecting a command like ;touch EXPLOITED; into the interface array argument of the check function [2].
Impact and
Mitigation
Successful exploitation allows an attacker to execute arbitrary operating system commands with the privileges of the Node.js process. This can lead to full system compromise, data exfiltration, or further lateral movement. As of the publication date, there is no fixed version available for bwm-ng. Until a patch is released, users should avoid passing unsanitized input to the check function or consider using alternative packages [1][2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
bwm-ngnpm | <= 0.1.1 | — |
Affected products
3Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-8vw3-vxmj-h43wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-26129ghsaADVISORY
- security.snyk.io/vuln/SNYK-JS-BWMNG-3175876ghsaWEB
News mentions
0No linked articles in our index yet.