Advisories for Npm/Codecov package

In codecov (npm package), the upload method has a command injection vulnerability. Clients of the codecov-node library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability. A similar CVE (CVE-2020-7597 for GHSA-5q88-cjfq-g2mh) was issued but the fix was incomplete. It only blocked &, and command injection is still possible using backticks instead to bypass the sanitizer. The attack surface is low in …

The codecov-node npm module allows remote attackers to execute arbitrary commands. The value provided as part of the gcov-root argument is executed by the exec function within lib/codecov.js.

Codecov npm module allows remote attackers to execute arbitrary commands via the gcov-args argument.