Affected script: "install-scripts:install"
The code allows for arbitrary code execution because it constructs command strings using potentially unsanitized input (fuelCoreVersion
, pkgPlatform
) and executes them with execSync
, which can lead to remote code execution if the input is crafted maliciously. It also downloads and installs binaries from an external source without verifying their integrity, which could lead to installation of malicious binaries if the external source is compromised.
@fuel-ts/fuel-core
's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.Name | Version | Size | License | Type | Vulnerabilities |
---|---|---|---|---|---|
node-fetch | 2.7.0 | 43.6 kB | MIT | prod |