Description
NPM package next-npm-version1.0.1 is vulnerable to Command injection.
Published: 2026-05-07
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic command injection flaw in the npm package next-npm-version 1.0.1 that allows an attacker to execute arbitrary system commands. Consequently, an adversary could gain unauthorized access to the host, modify or delete files, and potentially disrupt services, thereby compromising confidentiality, integrity, and availability. The CVSS score of 9.8 indicates a high severity impact.

Affected Systems

The affected component is the npm package next-npm-version version 1.0.1, which is distributed via npm. It is typically used in Node.js environments and may be incorporated into build or deployment scripts.

Risk and Exploitability

The CVSS score of 9.8 reflects a severe vulnerability, and the EPSS score of <1% suggests a low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is indirect—through unsanitized user input that is passed to a shell command within the package. If the package processes data from untrusted sources, an attacker could exploit this flaw to run arbitrary system commands. The flaw maps to CWE-94 (Improper Control of Generation of Code).

Generated by OpenCVE AI on May 9, 2026 at 02:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade next-npm-version to a patched or later release if one is available.
  • If an update is not yet provided, remove the package from the project or place it in a strictly isolated environment with limited privileges.
  • Where the package must remain, enforce strict input validation or replace the vulnerable functionality with a safer alternative that does not invoke the shell.

Generated by OpenCVE AI on May 9, 2026 at 02:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2xx6-qf7x-grqh next-npm-version is vulnerable to Command injection
History

Sat, 09 May 2026 02:30:00 +0000

Type Values Removed Values Added
Title Command Injection in npm next-npm-version Package

Sat, 09 May 2026 00:30:00 +0000

Type Values Removed Values Added
Title Command Injection in next-npm-version 1.0.1
Weaknesses CWE-78

Fri, 08 May 2026 22:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 07 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Afeiship
Afeiship next-npm-version
Vendors & Products Afeiship
Afeiship next-npm-version

Thu, 07 May 2026 15:30:00 +0000

Type Values Removed Values Added
Title Command Injection in next-npm-version 1.0.1
Weaknesses CWE-78

Thu, 07 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description NPM package next-npm-version1.0.1 is vulnerable to Command injection.
References

Subscriptions

Afeiship Next-npm-version
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-08T22:08:39.247Z

Reserved: 2025-10-27T00:00:00.000Z

Link: CVE-2025-63706

cve-icon Vulnrichment

Updated: 2026-05-08T22:08:30.881Z

cve-icon NVD

Status : Deferred

Published: 2026-05-07T15:16:04.820

Modified: 2026-05-08T23:16:34.450

Link: CVE-2025-63706

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T02:15:06Z

Weaknesses