window-control is an npm package that provides tools to manage window focus. Versions before 1.4.5 are vulnerable to Command Injection via the sendKeys
function due to improper input sanitization.
References
- https://nvd.nist.gov/vuln/detail/CVE-2022-25926
- https://github.com/bruno-robert/window-control/commit/075c854534a749d887655a906759f5a7eee95173
- https://github.com/bruno-robert/window-control/releases/tag/v1.4.5
- https://security.snyk.io/vuln/SNYK-JS-WINDOWCONTROL-3186345
- https://github.com/advisories/GHSA-9mjx-wfqp-j5ph