hyperframes is vulnerable to Command Injection
64
Medium Risk
The upgrade command in the Hyperframes CLI builds the string npm install -g hyperframes@<latest> from the version reported by the npm registry and, in non-interactive mode (--yes), executes it with execSync, which spawns a shell. Because the registry-supplied version value is used without validation, a poisoned or man-in-the-middled registry response carrying shell metacharacters (for example 1.2.3; <command>) is interpreted as extra shell commands. This allows arbitrary command execution on the machine running the CLI. The fix validates the version as strict semver and switches to execFileSync with shell:false so the value can no longer break out of the argument.
You are affected if you are using a version that falls within the vulnerable range and you run the CLI's non-interactive upgrade --yes command.
hyperframes is vulnerable to Command Injection in versions 0.2.3 - 0.6.7.
Upgrade the hyperframes library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

I consent to receiving marketing communications based on Aikido’s Privacy Policy.
SOC 2Compliant
ISO 27001Compliant