The curlrequest npm package through 1.0.1 is affected by CVE-2020-7646 / GHSA-m8xj-5v73-3hh8. GitHub Advisory and OSV describe command-injection risk, while current NVD, CVE.org, and Snyk metadata describe arbitrary file-read risk for the same package advisory. Public sources list no patched npm release, and npm registry metadata shows 1.0.1 as the latest published version [S1][S2][S3][S4][S5][S6].
Impact
If an application, worker, automation job, or API route calls curlrequest with attacker-controlled URL, header, proxy, file, or option data, affected versions may let that input cross into unsafe curl wrapper behavior [S1][S5]. Depending on the reachable call site and deployment environment, the practical impact can include unintended command execution or local file access. A dependency match alone does not prove that the package is installed in production, invoked at runtime, or reachable from untrusted input.
Root Cause
curlrequest is a Node.js wrapper around curl. The public advisories describe unsafe handling around user-influenced request options and file input in affected releases [S1][S2][S5]. The issue is classified under CWE-78 for command-injection style command-boundary risk, with current source metadata also preserving the arbitrary-file-read wording [S1][S3][S4].
How FixVibe covers it
FixVibe GitHub repo scans report version-based advisory evidence when package.json, package-lock.json, npm-shrinkwrap.json, pnpm-lock.yaml, or yarn.lock shows curlrequest in the affected range. Lockfile exact-version evidence is high confidence; manifest range evidence is medium confidence because the installed version still depends on dependency resolution.
FixVibe does not execute curlrequest, invoke curl, pass command-injection or file-read payloads, read local files, trace request data flow into curlrequest options or file input, verify that the dependency is present in the deployed runtime, or claim live command execution or live file-read proof.
Fixes
Public advisories do not list a patched curlrequest release. Remove curlrequest or replace it with a maintained HTTP client such as the built-in fetch API, undici, axios, or got that does not shell out through a curl wrapper [S5][S6]. Regenerate the active npm, pnpm, or Yarn lockfile, rebuild every runtime image, worker, devcontainer, CI cache, and package-manager cache that installs dependencies, and rerun the FixVibe GitHub repo scan. Review call sites so untrusted request, webhook, job, URL, header, proxy, file-path, curl option, or request option data cannot reach shell-backed HTTP helpers.
