Affected script: "install-scripts:install"
The code is executing shell commands without proper sanitization, which opens the door for command injection vulnerabilities, especially by manipulating the
fuelCoreVersion to include nefarious shell commands. This can lead to arbitrary code execution with the privileges of the user running the script. Furthermore, it downloads and executes code from the internet, which could be a vector for introducing malicious code if the source is not adequately secured or if the transfer is intercepted (man-in-the-middle attack). The use of
execSync to run shell commands with user input (
binPath, etc.) is particularly dangerous.
@fuel-ts/fuel-core's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.