Vulnerabilities affecting this package (1)
| Vulnerability |
Summary |
Fixed by |
VCID-3nh5-avj1-4qfp
Aliases:
GHSA-8h3q-9fpp-c883
|
Duplicate Advisory: Wrangler affected by OS Command Injection in `wrangler pages deploy`
|
There are no reported fixed by versions.
|
Vulnerabilities fixed by this package (1)
| Vulnerability |
Summary |
Aliases |
|
VCID-tyqy-tb73-3kaq
|
SummaryA command injection vulnerability (CWE-78) has been found to exist in the `wrangler pages deploy` command. The issue occurs because the `--commit-hash` parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of `--commit-hash` to execute arbitrary commands on the system running Wrangler.
Root causeThe commitHash variable, derived from user input via the --commit-hash CLI argument, is interpolated directly into a shell command using template literals (e.g., execSync(`git show -s --format=%B ${commitHash}`)). Shell metacharacters are interpreted by the shell, enabling command execution.
ImpactThis vulnerability is generally hard to exploit, as it requires --commit-hash to be attacker controlled. The vulnerability primarily affects CI/CD environments where `wrangler pages deploy` is used in automated pipelines and the
--commit-hash parameter is populated from external, potentially untrusted sources. An attacker could exploit this to:
* Run any shell command.
* Exfiltrate environment variables.
* Compromise the CI runner to install backdoors or modify build artifacts.
Credits Disclosed responsibly by kny4hacker.
Mitigation
* Wrangler v4 users are requested to upgrade to Wrangler v4.59.1 or higher.
* Wrangler v3 users are requested to upgrade to Wrangler v3.114.17 or higher.
* Users on Wrangler v2 (EOL) should upgrade to a supported major version.
|
CVE-2026-0933
GHSA-36p8-mvp6-cv38
|