It was found that growl does not properly sanitize input before passing it to exec, allowing for arbitrary command execution. Upstream issue: https://github.com/tj/node-growl/issues/60 Upstream pull request: https://github.com/tj/node-growl/pull/61
Created nodejs-growl tracking bugs for this issue: Affects: epel-all [bug 1585955] Affects: fedora-all [bug 1585956]