devcert is vulnerable to remote code execution (RCE). It is possible because it does not validate the user-provided string-concatenated input to the run()
command in utils.js
, which is subsequently passed to execSync
, leading to execution of malicious commands.