VulnerableCode Package Details - pkg:npm/wrangler@2.20.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-3nh5-avj1-4qfp Aliases: GHSA-8h3q-9fpp-c883	Duplicate Advisory: Wrangler affected by OS Command Injection in `wrangler pages deploy`	There are no reported fixed by versions.
VCID-tyqy-tb73-3kaq Aliases: CVE-2026-0933 GHSA-36p8-mvp6-cv38	SummaryA command injection vulnerability (CWE-78) has been found to exist in the `wrangler pages deploy` command. The issue occurs because the `--commit-hash` parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of `--commit-hash` to execute arbitrary commands on the system running Wrangler. Root causeThe commitHash variable, derived from user input via the --commit-hash CLI argument, is interpolated directly into a shell command using template literals (e.g., execSync(`git show -s --format=%B ${commitHash}`)). Shell metacharacters are interpreted by the shell, enabling command execution. ImpactThis vulnerability is generally hard to exploit, as it requires --commit-hash to be attacker controlled. The vulnerability primarily affects CI/CD environments where `wrangler pages deploy` is used in automated pipelines and the --commit-hash parameter is populated from external, potentially untrusted sources. An attacker could exploit this to: * Run any shell command. * Exfiltrate environment variables. * Compromise the CI runner to install backdoors or modify build artifacts. Credits Disclosed responsibly by kny4hacker. Mitigation * Wrangler v4 users are requested to upgrade to Wrangler v4.59.1 or higher. * Wrangler v3 users are requested to upgrade to Wrangler v3.114.17 or higher. * Users on Wrangler v2 (EOL) should upgrade to a supported major version.	3.114.17 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 4.59.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-3nh5-avj1-4qfp
Aliases:
GHSA-8h3q-9fpp-c883

Duplicate Advisory: Wrangler affected by OS Command Injection in `wrangler pages deploy`

There are no reported fixed by versions.

VCID-tyqy-tb73-3kaq
Aliases:
CVE-2026-0933
GHSA-36p8-mvp6-cv38

SummaryA command injection vulnerability (CWE-78) has been found to exist in the `wrangler pages deploy` command. The issue occurs because the `--commit-hash` parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of `--commit-hash` to execute arbitrary commands on the system running Wrangler. Root causeThe commitHash variable, derived from user input via the --commit-hash CLI argument, is interpolated directly into a shell command using template literals (e.g., execSync(`git show -s --format=%B ${commitHash}`)). Shell metacharacters are interpreted by the shell, enabling command execution. ImpactThis vulnerability is generally hard to exploit, as it requires --commit-hash to be attacker controlled. The vulnerability primarily affects CI/CD environments where `wrangler pages deploy` is used in automated pipelines and the --commit-hash parameter is populated from external, potentially untrusted sources. An attacker could exploit this to: * Run any shell command. * Exfiltrate environment variables. * Compromise the CI runner to install backdoors or modify build artifacts. Credits Disclosed responsibly by kny4hacker. Mitigation * Wrangler v4 users are requested to upgrade to Wrangler v4.59.1 or higher. * Wrangler v3 users are requested to upgrade to Wrangler v3.114.17 or higher. * Users on Wrangler v2 (EOL) should upgrade to a supported major version.

3.114.17
Affected by 1 other vulnerability.

4.59.1
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-nqyp-j2yy-w7ca	Arbitrary remote code execution within `wrangler dev` Workers sandbox	CVE-2023-7080 GHSA-f8mp-x433-5wpf

Vulnerability

Summary

Aliases

VCID-nqyp-j2yy-w7ca

Arbitrary remote code execution within `wrangler dev` Workers sandbox

CVE-2023-7080
GHSA-f8mp-x433-5wpf

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T20:50:02.105100+00:00	GitLab Importer	Affected by	VCID-3nh5-avj1-4qfp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/wrangler/GHSA-8h3q-9fpp-c883.yml	38.6.0
2026-06-12T20:49:42.481717+00:00	GitLab Importer	Affected by	VCID-tyqy-tb73-3kaq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/wrangler/CVE-2026-0933.yml	38.6.0
2026-06-12T15:47:50.390507+00:00	GitLab Importer	Fixing	VCID-nqyp-j2yy-w7ca	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/wrangler/CVE-2023-7080.yml	38.6.0
2026-06-12T07:41:19.204713+00:00	GithubOSV Importer	Fixing	VCID-nqyp-j2yy-w7ca	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-f8mp-x433-5wpf/GHSA-f8mp-x433-5wpf.json	38.6.0
2026-06-11T20:33:32.085416+00:00	GHSA Importer	Fixing	VCID-nqyp-j2yy-w7ca	https://github.com/advisories/GHSA-f8mp-x433-5wpf	38.6.0