{"api_version":"1","generated_at":"2026-04-23T03:25:35+00:00","cve":"CVE-2020-7677","urls":{"html":"https://cve.report/CVE-2020-7677","api":"https://cve.report/api/cve/CVE-2020-7677.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-7677","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-7677"},"summary":{"title":"CVE-2020-7677","description":"This affects the package thenify before 3.3.1. The name argument provided to the package can be controlled by users without any sanitization, and this is provided to the eval function without any sanitization.","state":"PUBLIC","assigner":"report@snyk.io","published_at":"2022-07-25 14:15:00","updated_at":"2023-11-07 03:26:00"},"problem_types":["NVD-CWE-noinfo"],"metrics":[],"references":[{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/","name":"FEDORA-2023-ce8943223c","refsource":"","tags":[],"title":"[SECURITY] Fedora 37 Update: yarnpkg-1.22.19-3.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/thenables/thenify/commit/0d94a24eb933bc835d568f3009f4d269c4c4c17a","name":"N/A","refsource":"CONFIRM","tags":[],"title":"fix: remove eval (#30) · thenables/thenify@0d94a24 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.debian.org/debian-lts-announce/2022/09/msg00039.html","name":"[debian-lts-announce] 20220930 [SECURITY] [DLA 3128-1] node-thenify security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 3128-1] node-thenify security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/","name":"FEDORA-2023-18fd476362","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 36 Update: yarnpkg-1.22.19-3.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/thenables/thenify/blob/master/index.js%23L17","name":"N/A","refsource":"CONFIRM","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":""},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/","name":"FEDORA-2023-18fd476362","refsource":"","tags":[],"title":"[SECURITY] Fedora 36 Update: yarnpkg-1.22.19-3.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/","name":"FEDORA-2023-ce8943223c","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 37 Update: yarnpkg-1.22.19-3.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-572317","name":"N/A","refsource":"CONFIRM","tags":[],"title":"Arbitrary Code Execution in org.webjars.npm:thenify | CVE-2020-7677 | Snyk","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.snyk.io/vuln/SNYK-JS-THENIFY-571690","name":"N/A","refsource":"CONFIRM","tags":[],"title":"Arbitrary Code Execution in thenify | CVE-2020-7677 | Snyk","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/thenables/thenify/blob/master/index.js#L17","name":"MISC:https://github.com/thenables/thenify/blob/master/index.js%23L17","refsource":"MITRE","tags":[],"title":"thenify/index.js at master · thenables/thenify · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-7677","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-7677","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"LEGACY","value":"JHU System Security Lab","lang":""}],"nvd_cpes":[{"cve_year":"2020","cve_id":"7677","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"7677","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"36","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"7677","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"37","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"7677","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"thenify_project","cpe5":"thenify","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"node.js","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2020-7677","qid":"181086","title":"Debian Security Update for node-thenify (DLA 3128-1)"},{"cve":"CVE-2020-7677","qid":"199286","title":"Ubuntu Security Notification for thenify Vulnerability (USN-6016-1)"},{"cve":"CVE-2020-7677","qid":"283621","title":"Fedora Security Update for yarnpkg (FEDORA-2023-18fd476362)"},{"cve":"CVE-2020-7677","qid":"283622","title":"Fedora Security Update for yarnpkg (FEDORA-2023-ce8943223c)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ASSIGNER":"report@snyk.io","DATE_PUBLIC":"2022-07-25T14:03:57.784005Z","ID":"CVE-2020-7677","STATE":"PUBLIC","TITLE":"Arbitrary Code Execution"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"thenify","version":{"version_data":[{"version_affected":"<","version_value":"3.3.1"}]}}]},"vendor_name":"n/a"}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Arbitrary Code Execution"}]}]},"references":{"reference_data":[{"refsource":"MISC","url":"https://security.snyk.io/vuln/SNYK-JS-THENIFY-571690","name":"https://security.snyk.io/vuln/SNYK-JS-THENIFY-571690"},{"refsource":"MISC","url":"https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-572317","name":"https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-572317"},{"refsource":"MISC","url":"https://github.com/thenables/thenify/blob/master/index.js%23L17","name":"https://github.com/thenables/thenify/blob/master/index.js%23L17"},{"refsource":"MISC","url":"https://github.com/thenables/thenify/commit/0d94a24eb933bc835d568f3009f4d269c4c4c17a","name":"https://github.com/thenables/thenify/commit/0d94a24eb933bc835d568f3009f4d269c4c4c17a"},{"refsource":"MLIST","name":"[debian-lts-announce] 20220930 [SECURITY] [DLA 3128-1] node-thenify security update","url":"https://lists.debian.org/debian-lts-announce/2022/09/msg00039.html"},{"refsource":"FEDORA","name":"FEDORA-2023-ce8943223c","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/"},{"refsource":"FEDORA","name":"FEDORA-2023-18fd476362","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/"}]},"description":{"description_data":[{"lang":"eng","value":"This affects the package thenify before 3.3.1. The name argument provided to the package can be controlled by users without any sanitization, and this is provided to the eval function without any sanitization."}]},"impact":{"cvss":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L/E:P/RL:U/RC:C","baseScore":8.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"LOW"}},"credit":[{"lang":"eng","value":"JHU System Security Lab"}]},"nvd":{"publishedDate":"2022-07-25 14:15:00","lastModifiedDate":"2023-11-07 03:26:00","problem_types":["NVD-CWE-noinfo"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:thenify_project:thenify:*:*:*:*:*:node.js:*:*","versionEndExcluding":"3.3.1","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"7677","Ordinal":"167958","Title":"CVE-2020-7677","CVE":"CVE-2020-7677","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"7677","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}