CVE-2020-7678

HIGH

node-import - Remote Code Execution via Unsanitized Params Argument

Title source: llm
STIX 2.1

Description

This affects all versions of package node-import. The "params" argument of module function can be controlled by users without any sanitization.b. This is then provided to the “eval” function located in line 79 in the index file "index.js".

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://security.snyk.io/vuln/SNYK-JS-NODEIMPORT-571691
Broken Link, Third Party Advisory x_refsource_misc
https://github.com/mahdaen/node-import/blob/master/index.js%23L79

Scores

CVSS v3 8.6
EPSS 0.0093
EPSS Percentile 56.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Details

Status published
Products (2)
node-import_project/node-import
npm/node-import 0npm
Published Jul 25, 2022
Tracked Since Feb 18, 2026