This affects the package codecov before 2.0.16. The vulnerability occurs due to not sanitizing gcov arguments before being being provided to the popen...
6.5CVSS
6.3AI Score
0.001EPSS
In codecov (npm package) before version 3.7.1 the upload method has a command injection vulnerability. Clients of the codecov-node library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability. A similar CVE (CVE-2020-7597 for GHSA-5q88-cjfq-g2mh) was....
9.3CVSS
9.4AI Score
0.016EPSS
codecov-node npm module before 3.6.5 allows remote attackers to execute arbitrary commands.The value provided as part of the gcov-root argument is executed by the exec function within lib/codecov.js. This vulnerability exists due to an incomplete fix of...
8.8CVSS
9.1AI Score
0.008EPSS
Codecov npm module before 3.6.2 allows remote attackers to execute arbitrary commands via the "gcov-args"...
8.8CVSS
8.9AI Score
0.006EPSS