Check Peer Dependencies
Monthly
OS command injection in christopherthielen/check-peer-dependencies up to version 4.3.4 allows remote low-privileged attackers to execute arbitrary operating system commands via the shelljs.exec() call in dist/packageUtils.js when processing peerDependency data. The vulnerable code path passes unsanitized dependency-related input directly to a shell execution function, a classic CWE-78 pattern. No vendor patch is available at time of analysis - the project maintainer has not responded to the issue report filed on GitHub (issue #74), and no KEV listing exists. EPSS data was not provided, so broad exploitation probability cannot be quantified.
OS command injection in christopherthielen/check-peer-dependencies up to version 4.3.4 allows remote low-privileged attackers to execute arbitrary operating system commands via the shelljs.exec() call in dist/packageUtils.js when processing peerDependency data. The vulnerable code path passes unsanitized dependency-related input directly to a shell execution function, a classic CWE-78 pattern. No vendor patch is available at time of analysis - the project maintainer has not responded to the issue report filed on GitHub (issue #74), and no KEV listing exists. EPSS data was not provided, so broad exploitation probability cannot be quantified.