CVE-2024-39943: Nodejs Child Process Exec Template Literal Injection
execSync/exec is being called with a template literal that contains interpolated expressions. Because exec/execSync run the command through a shell (/bin/sh), any shell metacharacter present in the interpolated value (quotes, backticks, $(), ;, &&, |) will be parsed by the shell and can lead to OS command injection. Use spawnSync/spawn with an argv array ins
greprules fetch cve-2024-39943-nodejs-child-process-exec-template-literal-injection --engine opengrepDescription
execSync/exec is being called with a template literal that contains interpolated expressions. Because exec/execSync run the command through a shell (/bin/sh), any shell metacharacter present in the interpolated value (quotes, backticks, $(), ;, &&, |) will be parsed by the shell and can lead to OS command injection. Use spawnSync/spawn with an argv array ins
Detection target
Not provided
Recommended fix
Not provided
False-positive notes
Not provided
Community feedback
Sign in to report false positives, mark this rule useful, or suggest metadata improvements.