Open
requested to merge remediate/uncontrolled-search-path-element-in-execa-D20210806T032504 into master
Description:
Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true
which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.
- Severity: critical
- Confidence: unknown
- Location: storybook/yarn.lock
Solution:
Upgrade to version 2.0.0 or above.