{"id":"CVE-2020-7789","details":"This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.","aliases":["GHSA-5fw9-fq32-wv5p"],"modified":"2026-04-11T23:12:37.992345Z","published":"2020-12-11T10:15:12.423Z","related":["SNYK-JAVA-ORGWEBJARSNPM-1050371","SNYK-JS-NODENOTIFIER-1035794"],"references":[{"type":"WEB","url":"https://github.com/mikaelbr/node-notifier/blob/master/lib/utils.js%23L303"},{"type":"ADVISORY","url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1050371"},{"type":"ADVISORY","url":"https://snyk.io/vuln/SNYK-JS-NODENOTIFIER-1035794"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mikaelbr/node-notifier","events":[{"introduced":"0"},{"fixed":"5d62799dab88505a709cd032653b2320c5813fce"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"8.0.1"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:node-notifier_project:node-notifier:*:*:*:*:*:node.js:*:*"}}],"versions":["v1.0.0-beta2","v1.1.0","v1.1.1","v1.1.1-1","v1.1.1-2","v1.1.2-0","v1.2.0","v1.2.1","v2.0.0-alpha","v2.0.1","v2.0.2","v2.0.3","v2.0.4","v2.0.5","v2.0.6","v3.0.0","v3.0.0-1","v3.0.2","v3.0.3","v3.0.5","v3.0.6","v3.1.0","v3.1.1","v3.1.2","v3.1.3","v3.2.0","v3.2.1","v3.4.0","v3.4.1","v4.0.0","v4.0.1","v4.0.2","v4.1.0","v4.1.1","v4.1.2","v4.2.0","v4.2.1","v4.2.2","v4.2.3","v4.3.0","v4.3.1","v4.4.0","v4.5.0","v4.6.0","v4.6.1","v5.0.0","v5.0.1","v5.0.2","v5.1.0","v5.1.1","v5.1.2","v5.2.0","v5.2.1","v5.3.0","v5.4.0","v5.4.3","v6.0.0","v7.0.0","v7.0.1","v7.0.2","v8.0.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-7789.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"}]}