CVE-2020-7602

CRITICAL

node-prompt-here <= 1.0.1 - OS Command Injection via getDevices Function

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-7602. PoCs published by dannyEndorTest.

AI-analyzed exploit summary This repository demonstrates a command injection vulnerability in 'node-prompt-here' (CVE-2020-7602) by passing an unsanitized environment variable (NM_CLI) to a shell command. The Dockerfile and main.js show how arbitrary commands can be executed via the NM_CLI_OVERRIDE environment variable.

Description

node-prompt-here through 1.0.1 allows execution of arbitrary commands. The "runCommand()" is called by "getDevices()" function in file "linux/manager.js", which is required by the "index. process.env.NM_CLI" in the file "linux/manager.js". This function is used to construct the argument of function "execSync()", which can be controlled by users without any sanitization.

Exploits (1)

nomisec WORKING POC
by dannyEndorTest · poc
https://github.com/dannyEndorTest/node-prompt-here

This repository demonstrates a command injection vulnerability in 'node-prompt-here' (CVE-2020-7602) by passing an unsanitized environment variable (NM_CLI) to a shell command. The Dockerfile and main.js show how arbitrary commands can be executed via the NM_CLI_OVERRIDE environment variable.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: node-prompt-here 1.0.1
No auth needed
Prerequisites: Docker environment · ability to set environment variables
devstral-2 · analyzed May 20, 2026 Full analysis →

References (1)

Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JS-NODEPROMPTHERE-560115

Scores

CVSS v3 9.8
EPSS 0.0043
EPSS Percentile 62.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-78
Status published
Products (2)
node-prompt-here_project/node-prompt-here < 1.0.1
npm/node-prompt-here 0npm
Published Mar 15, 2020
Tracked Since Feb 18, 2026