FixVibe
Covered by FixVibehigh

OS Command Injection in strong-nginx-controller (CVE-2020-7621)

The strong-nginx-controller npm package is affected by CVE-2020-7621 / GHSA-4v9w-pvwr-38h3 through version 1.0.2. FixVibe covers this as a repository dependency advisory: it reports manifest and lockfile evidence for affected versions, while clearly stating that runtime command execution is not proven by dependency evidence alone.

CVE-2020-7621GHSA-4v9w-pvwr-38h3CWE-78

An OS command injection advisory exists in the strong-nginx-controller npm package [S2]. CVE-2020-7621 affects versions through 1.0.2 [S1], and the reviewed GitHub Advisory lists no patched version [S2].

Impact

When the affected package is installed in a deployed controller or automation host, unsafe command construction in NGINX management flows can create operating-system command execution risk [S1]. The practical impact depends on where the package is used, what privileges the process has, and whether untrusted deployment, request, webhook, or environment data can reach the command helper.

Root Cause

The issue is tracked as CWE-78, improper neutralization of special elements used in an OS command [S1]. Public advisory sources describe the vulnerable behavior in the package command helper [S2][S3].

Covered by FixVibe

FixVibe repo scans can report this as a version-based advisory when a connected GitHub repository contains npm dependency evidence for strong-nginx-controller in the affected range. The finding shows the package evidence, advisory IDs, confidence, affected range, and remediation path.

FixVibe does not run strong-nginx-controller, start or control NGINX, pass command-injection strings, inspect deployed controller trust boundaries, verify that attacker-controlled input reaches command arguments, or claim host compromise. The live check is intended to help teams remove or replace an affected dependency before it is installed in controller, CI, deployment, or automation hosts.

Remediation

There is no patched version listed in the reviewed advisory [S2]. Remove strong-nginx-controller or replace it with maintained NGINX orchestration tooling, regenerate npm, pnpm, or Yarn lockfiles, rebuild images and CI caches that install dependencies, and rerun the repo scan. Review any controller call sites so untrusted request, webhook, deployment, or environment data cannot reach NGINX management command arguments.

OS Command Injection in strong-nginx-controller (CVE-2020-7621) β€” FixVibe research Β· FixVibe