CVE-2017-16042

CRITICAL

Growl < 1.10.2 - OS Command Injection via Improper Input Sanitization

Title source: llm
STIX 2.1

Description

Growl adds growl notification support to nodejs. Growl before 1.10.2 does not properly sanitize input before passing it to exec, allowing for arbitrary command execution.

References (3)

Core 3
Core References
Third Party Advisory x_refsource_misc
https://nodesecurity.io/advisories/146
Patch, Third Party Advisory x_refsource_misc
https://github.com/tj/node-growl/pull/61
Third Party Advisory x_refsource_misc
https://github.com/tj/node-growl/issues/60

Scores

CVSS v3 9.8
EPSS 0.0441
EPSS Percentile 90.1%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-78 CWE-94
Status published
Products (2)
growl_project/growl < 1.10.2
npm/growl 0 - 1.10.0npm
Published Jun 04, 2018
Tracked Since Feb 18, 2026