OS Command Injection in GitHub repository ljharb/npm-lockfile prior to v2.0.5. https://github.com/ljharb/npm-lockfile/commit/bfdb84813260f0edbf759f2fde1e8c816c1478b8 https://huntr.dev/bounties/4f806dc9-2ecd-4e79-997e-5292f1bea9f1
Created nodejs tracking bugs for this issue: Affects: epel-8 [bug 2060671] Created nodejs:10/nodejs tracking bugs for this issue: Affects: fedora-34 [bug 2060672] Created nodejs:12/nodejs tracking bugs for this issue: Affects: fedora-34 [bug 2060673] Affects: fedora-35 [bug 2060678] Created nodejs:13/nodejs tracking bugs for this issue: Affects: epel-8 [bug 2060674] Created nodejs:14/nodejs tracking bugs for this issue: Affects: fedora-34 [bug 2060676] Affects: fedora-35 [bug 2060679] Created zuul tracking bugs for this issue: Affects: fedora-34 [bug 2060677] Affects: fedora-35 [bug 2060680]
Created yarnpkg tracking bugs for this issue: Affects: fedora-all [bug 2070960]
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-0841
npm-lockfile v1 shipped in RHEL is not affected by this CVE as it doesn't include the vulnerable code (i.e., support for `only` parameter).