open is vulnerable to Command Injection
78
High Risk
The open crate passes caller-supplied URLs and file paths directly to the platform launcher without sanitizing them. On Unix-like systems, a path beginning with a dash is forwarded to the opener as a command-line option rather than a positional argument, allowing an attacker who controls the target to inject launcher flags. On Windows and WSL, the target is embedded inside a PowerShell -Command string, so metacharacters in an attacker-controlled path are interpreted as PowerShell syntax and can lead to arbitrary command execution. The fix passes the target through the OPEN_RS_TARGET environment variable so it is never interpolated into a shell command string, and uses end-of-options -- separators to prevent dash-leading paths from being parsed as options.
You are affected if you are using a version that falls within the vulnerable range and your application passes untrusted URLs or file paths to the open crate.
open is vulnerable to Command Injection in versions 1.0.0 - 5.3.6.
Upgrade the open library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant