An OS command injection advisory exists in the strong-nginx-controller npm package [S2]. CVE-2020-7621 affects versions through 1.0.2 [S1], and the reviewed GitHub Advisory lists no patched version [S2].
Impact
When the affected package is installed in a deployed controller or automation host, unsafe command construction in NGINX management flows can create operating-system command execution risk [S1]. The practical impact depends on where the package is used, what privileges the process has, and whether untrusted deployment, request, webhook, or environment data can reach the command helper.
Root Cause
The issue is tracked as CWE-78, improper neutralization of special elements used in an OS command [S1]. Public advisory sources describe the vulnerable behavior in the package command helper [S2][S3].
Covered by FixVibe
FixVibe repo scans can report this as a version-based advisory when a connected GitHub repository contains npm dependency evidence for strong-nginx-controller in the affected range. The finding shows the package evidence, advisory IDs, confidence, affected range, and remediation path.
FixVibe does not run strong-nginx-controller, start or control NGINX, pass command-injection strings, inspect deployed controller trust boundaries, verify that attacker-controlled input reaches command arguments, or claim host compromise. The live check is intended to help teams remove or replace an affected dependency before it is installed in controller, CI, deployment, or automation hosts.
Remediation
There is no patched version listed in the reviewed advisory [S2]. Remove strong-nginx-controller or replace it with maintained NGINX orchestration tooling, regenerate npm, pnpm, or Yarn lockfiles, rebuild images and CI caches that install dependencies, and rerun the repo scan. Review any controller call sites so untrusted request, webhook, deployment, or environment data cannot reach NGINX management command arguments.
