Critical severityNVD Advisory· Published Aug 30, 2023· Updated Oct 1, 2024

Command Injection Vulnerability in find-exec

CVE-2023-40582

Description

Command injection in find-exec <1.0.3 allows attackers to run arbitrary shell commands via unsanitized user input.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Command injection in find-exec <1.0.3 allows attackers to run arbitrary shell commands via unsanitized user input.

Vulnerability

Overview The find-exec npm utility, designed to discover available shell commands, versions prior to 1.0.3 fail to properly escape user-supplied input. The package accepts command names as arguments and attempts to execute each one to check availability. Because the input is passed directly to exec() without sanitization, an attacker can inject arbitrary shell commands by including shell metacharacters [1][3].

Exploitation

Details Exploitation requires the attacker to control the command name provided to find-exec. For example, calling find("mplayer; touch hacked") executes both the which mplayer check and the touch hacked command in sequence. The isExec function in the original code runs exec(command, ...) without quoting the user input, allowing shell interpretation of injected operators like semicolons or backticks [3][4].

Impact

Successful exploitation lets an attacker execute arbitrary shell commands with the same privileges as the calling process. This can lead to file manipulation, data exfiltration, or further system compromise, depending on the application context [1][3].

Mitigation

Version 1.0.3 fixes the issue by using shell-quote's quote() function to properly escape each token of the command before execution [4]. Users unable to upgrade should ensure all input passed to find-exec comes from a trusted source and never allow user-controlled data to reach the find() call [1].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
find-execnpm	< 1.0.3	1.0.3

Affected products

ghsa-coords
pkg:npm/find-exec
Range: < 1.0.3
shime/find-execcpe-rescue
Range: < 1.0.3

Patches

74fb108097c2

Start using shell quote

https://github.com/shime/find-execHrvoje ŠimićAug 24, 2023via ghsa

commit

2 files changed · +5 −2

index.js+2 −1 modified

@@ -1,5 +1,6 @@
 var exec = require('child_process').execSync
 var platform = require('os').platform()
+var quote = require("shell-quote").quote
 
 module.exports = function(){
   var commands = Array.isArray(arguments[0]) ? arguments[0] : Array.prototype.slice.apply(arguments)
@@ -17,7 +18,7 @@ module.exports = function(){
 
 function isExec(command){
   try{
-    exec(command, { stdio: 'ignore' })
+    exec(quote(command.split(" ")), { stdio: 'ignore' })
     return true
   }
   catch (_e){

package.json+3 −1 modified

@@ -28,5 +28,7 @@
     "expect.js": "^0.3.1",
     "mocha": "^9.1.3"
   },
-  "dependencies": {}
+  "dependencies": {
+    "shell-quote": "^1.8.1"
+  }
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-95rp-6gqp-6622ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-40582ghsaADVISORY
github.com/shime/find-exec/commit/74fb108097c229b03d6dba4cce81e36aa364b51cghsax_refsource_MISCWEB
github.com/shime/find-exec/security/advisories/GHSA-95rp-6gqp-6622ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.004
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000