{"id":"CVE-2020-4059","details":"In mversion before 2.0.0, there is a command injection vulnerability. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This vulnerability is patched by version 2.0.0. Previous releases are deprecated in npm. As a workaround, make sure to escape git commit messages when using the commitMessage option for the update function.","aliases":["GHSA-qjg4-w4c6-f6c6"],"modified":"2026-03-13T22:15:36.157921Z","published":"2020-06-18T20:15:10.760Z","related":["GHSA-qjg4-w4c6-f6c6"],"references":[{"type":"ADVISORY","url":"https://github.com/mikaelbr/mversion/security/advisories/GHSA-qjg4-w4c6-f6c6"},{"type":"FIX","url":"https://github.com/mikaelbr/mversion/commit/6c76c9efd27c7ff5a5c6f187e8b7a435c4722338"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mikaelbr/mversion","events":[{"introduced":"0"},{"fixed":"a9ddbc2bc86eb48f6976b85d195b6a94e81ffb22"},{"fixed":"6c76c9efd27c7ff5a5c6f187e8b7a435c4722338"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.0.0"}]}}],"versions":["v0.0.5","v0.1.0","v0.1.1","v0.1.2","v0.1.3","v0.2.0","v0.2.1","v0.2.2","v0.3.0","v0.3.1","v0.4.1","v0.4.2","v0.4.3","v0.5.0","v0.5.1","v1.0.0","v1.1.0","v1.10.0","v1.10.1","v1.11.0","v1.12.0","v1.13.0","v1.13.1","v1.2.0","v1.3.0","v1.4.0","v1.5.0","v1.6.0","v1.6.1","v1.7.0","v1.8.0","v1.9.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-4059.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}]}