CVE-2026-15033
Deferred Deferred - Pending Action

Command Injection in check-peer-dependencies

Vulnerability report for CVE-2026-15033, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: VulDB

Description

A flaw has been found in christopherthielen check-peer-dependencies up to 4.3.4. Affected by this vulnerability is the function shelljs.exec of the file dist/packageUtils.js of the component peerDependencies. This manipulation causes os command injection. The attack may be initiated remotely. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
christopherthielen check-peer-dependencies to 4.3.4 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability exists in the check-peer-dependencies tool up to version 4.3.4, specifically in the shelljs.exec function used in the peerDependencies component. The tool unsafely handles package names from peerDependencies by directly interpolating them into shell commands without proper sanitization.

When the tool runs commands like npm view or npm install using shelljs.exec, a malicious package name containing shell metacharacters (such as ;, &, |, backticks, or $()) can inject arbitrary OS commands. This leads to OS command injection, allowing an attacker to execute commands remotely on the system where the tool is run.

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary operating system commands remotely on the machine running the vulnerable check-peer-dependencies tool.

  • Compromise of system integrity by executing unauthorized commands.
  • Potential data leakage or modification due to unauthorized access.
  • Disruption of normal operations or installation processes by injecting malicious commands.
  • Elevation of risk in environments where the tool is run with elevated privileges.
Detection Guidance

This vulnerability can be detected by examining the use of the check-peer-dependencies tool, specifically versions up to 4.3.4, in your projects. Look for usage of the --findSolutions or --install flags, which trigger shell commands via shelljs.exec with unsanitized package names from peerDependencies.

To detect potential exploitation or presence of the vulnerability, you can check for suspicious shell command executions involving npm view, npm install, or yarn add commands that include unusual or malformed package names containing shell metacharacters such as ;, &, |, backticks (`), or $().

Suggested commands to help detect this vulnerability or its exploitation include:

  • Search your project directories for usage of check-peer-dependencies version 4.3.4 or earlier: `npm list check-peer-dependencies` or check package.json dependencies.
  • Audit running processes or shell command logs for suspicious npm or yarn commands with injected shell metacharacters: `ps aux | grep -E 'npm|yarn'` and review command arguments.
  • Scan peerDependencies fields in package.json files for suspicious package names containing shell metacharacters: `grep -r --include=package.json 'peerDependencies' ./` and manually inspect for unsafe characters.
Mitigation Strategies

Immediate mitigation steps include avoiding the use of check-peer-dependencies version 4.3.4 or earlier until a fix is released.

Do not run the tool in untrusted project directories where attacker-controlled package names could be present.

Avoid using the --findSolutions and --install flags, as these trigger vulnerable shell command executions.

Manually verify and sanitize peerDependencies in your package.json files to ensure no malicious package names with shell metacharacters are present.

Monitor for updates or patches from the project repository and apply them once available.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15033. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart