codecov is vulnerable to command injection. The vulnerability exists due to the lack of sanitization in the gcov
arguments in the main
function of __init__.py
, allowing an attacker to inject and execute malicious commands before being provided to the Popen
functionality.