VulnerableCode Package Details - pkg:npm/wrangler@3.75.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-3nh5-avj1-4qfp Aliases: GHSA-8h3q-9fpp-c883	Duplicate Advisory: Wrangler affected by OS Command Injection in `wrangler pages deploy`	There are no reported fixed by versions.
VCID-tyqy-tb73-3kaq Aliases: CVE-2026-0933 GHSA-36p8-mvp6-cv38	SummaryA command injection vulnerability (CWE-78) has been found to exist in the `wrangler pages deploy` command. The issue occurs because the `--commit-hash` parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of `--commit-hash` to execute arbitrary commands on the system running Wrangler. Root causeThe commitHash variable, derived from user input via the --commit-hash CLI argument, is interpolated directly into a shell command using template literals (e.g., execSync(`git show -s --format=%B ${commitHash}`)). Shell metacharacters are interpreted by the shell, enabling command execution. ImpactThis vulnerability is generally hard to exploit, as it requires --commit-hash to be attacker controlled. The vulnerability primarily affects CI/CD environments where `wrangler pages deploy` is used in automated pipelines and the --commit-hash parameter is populated from external, potentially untrusted sources. An attacker could exploit this to: * Run any shell command. * Exfiltrate environment variables. * Compromise the CI runner to install backdoors or modify build artifacts. Credits Disclosed responsibly by kny4hacker. Mitigation * Wrangler v4 users are requested to upgrade to Wrangler v4.59.1 or higher. * Wrangler v3 users are requested to upgrade to Wrangler v3.114.17 or higher. * Users on Wrangler v2 (EOL) should upgrade to a supported major version.	3.114.17 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 4.59.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-3nh5-avj1-4qfp
Aliases:
GHSA-8h3q-9fpp-c883

Duplicate Advisory: Wrangler affected by OS Command Injection in `wrangler pages deploy`

There are no reported fixed by versions.

VCID-tyqy-tb73-3kaq
Aliases:
CVE-2026-0933
GHSA-36p8-mvp6-cv38

SummaryA command injection vulnerability (CWE-78) has been found to exist in the `wrangler pages deploy` command. The issue occurs because the `--commit-hash` parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of `--commit-hash` to execute arbitrary commands on the system running Wrangler. Root causeThe commitHash variable, derived from user input via the --commit-hash CLI argument, is interpolated directly into a shell command using template literals (e.g., execSync(`git show -s --format=%B ${commitHash}`)). Shell metacharacters are interpreted by the shell, enabling command execution. ImpactThis vulnerability is generally hard to exploit, as it requires --commit-hash to be attacker controlled. The vulnerability primarily affects CI/CD environments where `wrangler pages deploy` is used in automated pipelines and the --commit-hash parameter is populated from external, potentially untrusted sources. An attacker could exploit this to: * Run any shell command. * Exfiltrate environment variables. * Compromise the CI runner to install backdoors or modify build artifacts. Credits Disclosed responsibly by kny4hacker. Mitigation * Wrangler v4 users are requested to upgrade to Wrangler v4.59.1 or higher. * Wrangler v3 users are requested to upgrade to Wrangler v3.114.17 or higher. * Users on Wrangler v2 (EOL) should upgrade to a supported major version.

3.114.17
Affected by 1 other vulnerability.

4.59.1
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T20:50:02.575402+00:00	GitLab Importer	Affected by	VCID-3nh5-avj1-4qfp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/wrangler/GHSA-8h3q-9fpp-c883.yml	38.6.0
2026-06-12T20:49:43.052435+00:00	GitLab Importer	Affected by	VCID-tyqy-tb73-3kaq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/wrangler/CVE-2026-0933.yml	38.6.0

2026-06-12T20:50:02.575402+00:00

GitLab Importer

Affected by

VCID-3nh5-avj1-4qfp

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/wrangler/GHSA-8h3q-9fpp-c883.yml

38.6.0

2026-06-12T20:49:43.052435+00:00

GitLab Importer

Affected by

VCID-tyqy-tb73-3kaq

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/wrangler/CVE-2026-0933.yml

38.6.0

Next non-vulnerable version	None.
Latest non-vulnerable version	None.
Risk