CVE-2020-7609

CRITICAL

node-rules 3.0.0-5.0.0 - Remote Code Execution via fromJSON() Argument Injection

Title source: llm

Description

node-rules including 3.0.0 and prior to 5.0.0 allows injection of arbitrary commands. The argument rules of function "fromJSON()" can be controlled by users without any sanitization.

References (3)

Core 3

Core References

Exploit, Patch, Third Party Advisory x_refsource_misc

https://snyk.io/vuln/SNYK-JS-NODERULES-560426

Patch, Third Party Advisory

https://github.com/mithunsatheesh/node-rules/commit/100862223904bb6478fcc33b701c7dee11f7b832

View Patch ZIP pw:eip

Patch x_refsource_misc

https://github.com/mithunsatheesh/node-rules/commit/100862223904bb6478fcc33b701c7dee11f7b832%2C

View Patch ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0160

EPSS Percentile 72.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-94

Status published

Products (2)

node-rules_project/node-rules 3.0.0 - 5.0.0

npm/node-rules 3.0.0 - 5.0.0npm

Published Apr 27, 2020

Tracked Since Feb 18, 2026