Affected script: "install-scripts:install"
The code is executing shell commands without proper sanitization, which opens the door for command injection vulnerabilities, especially by manipulating the fuelCoreVersion
to include nefarious shell commands. This can lead to arbitrary code execution with the privileges of the user running the script. Furthermore, it downloads and executes code from the internet, which could be a vector for introducing malicious code if the source is not adequately secured or if the transfer is intercepted (man-in-the-middle attack). The use of execSync
to run shell commands with user input (binPath
, etc.) is particularly dangerous.
@fuel-ts/fuel-core
's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.Name | Version | Size | License | Type | Vulnerabilities |
---|---|---|---|---|---|
node-fetch | 2.7.0 | 43.6 kB | MIT | prod |