CVE-2018-3772: Improper Input Validation

July 30, 2018 (updated October 9, 2019)

Concatenating unsanitized user input in the whereis npm module allows an attacker to execute arbitrary commands. The whereis module is deprecated and it is recommended to use the which npm module instead.

References

nvd.nist.gov/vuln/detail/CVE-2018-3772

Detect and mitigate CVE-2018-3772 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →