The package p4 before 0.0.7 is vulnerable to Command Injection via the run() function due to improper input sanitization
References
- https://nvd.nist.gov/vuln/detail/CVE-2022-25171
- https://github.com/natelong/p4/commit/ae42e251beabf67c00539ec0e1d7aa149ca445fb
- https://security.snyk.io/vuln/SNYK-JS-P4-3167330
- https://github.com/natelong/p4/blob/master/p4.js#23L12
- https://github.com/natelong/p4/blob/master/p4.js%23L12
- https://github.com/advisories/GHSA-jfm8-hwhg-r6gg