Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
OS command injection grants arbitrary code execution, warranting C:H/I:H/A:H; PR:L because attacker must control peerDependency input data fed to the tool.
Primary rating from Vendor (VulDB).
CVSS VectorVendor: VulDB
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A flaw has been found in christopherthielen check-peer-dependencies up to 4.3.4. Affected by this vulnerability is the function shelljs.exec of the file dist/packageUtils.js of the component peerDependencies. This manipulation causes os command injection. The attack may be initiated remotely. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
OS command injection in christopherthielen/check-peer-dependencies up to version 4.3.4 allows remote low-privileged attackers to execute arbitrary operating system commands via the shelljs.exec() call in dist/packageUtils.js when processing peerDependency data. The vulnerable code path passes unsanitized dependency-related input directly to a shell execution function, a classic CWE-78 pattern. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to have the ability to influence peerDependency data that check-peer-dependencies processes - this is the specific prerequisite grounded in CWE-78 and the shelljs.exec code path. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) indicates a network-reachable, low-complexity attack requiring low privileges and no user interaction, which describes a realistic threat in CI/CD and developer automation contexts where the tool is commonly invoked against third-party package content. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can introduce a malicious or modified package.json - for example, by contributing to a repository whose CI/CD pipeline runs check-peer-dependencies, or by publishing a malicious npm package whose peerDependencies field contains shell metacharacters - could cause the shelljs.exec() call in packageUtils.js to execute arbitrary OS commands on the CI/CD runner or developer workstation when the tool processes that dependency data. No confirmed public exploit code exists at time of analysis, but the exploitation pattern is straightforward given the classic command injection nature of CWE-78. |
| Remediation | No vendor-released patch has been identified at time of analysis - the upstream maintainer has not responded to the vulnerability disclosure. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42234
GHSA-fmmh-7qjr-fp9g