[email protected] rejected Risk: 53 No license 2014-05-27

ssh2 @0.2.25

rejected

This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.

npm Repository Homepage Tarball

Risk Score

—

License

Install Scripts

Dependencies

Dev Dependencies

79.5 KB

Package Size

2014-05-27

Published

SSH2 client and server modules written in pure JavaScript for node.js

Maintainers

mscdex

Keywords

sshssh2sftpsecureshellexecremoteclient

Dependencies (2)

Package	Constraint	Registry Status
asn1	0.1.11	auto_approved
streamsearch	0.1.2	auto_approved

Transitive Dependency Tree

2 transitive deps max depth 1

├─ asn1 0.1.11 → 0.1.11

├─ streamsearch 0.1.2 → 0.1.2

Risk Dispositions (1 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule	Source	Disposition	Author	Reason
`osv:GHSA-652h-xwhf-q4h6`	osv	reject	AI	AI (osv): CVE-2020-26301 OS Command Injection affects all ssh2 < 1.4.0; fixed in 1.4.0. Verdict generalizes to all versions in affected range.

SAST Findings (2)

CRITICAL GHSA-652h-xwhf-q4h6: OS Command Injection in ssh2 osv

[Always reject] CVSS 7.5 (HIGH) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N ssh2 is client and server modules written in pure JavaScript for node.js. In ssh2 before version 1.4.0 there is a command injection vulnerability. The issue only exists on Windows. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This is fixed in version 1.4.0.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Review Summary

Risk score: 53. Findings: 1 critical (+40), 1 medium (+10), 1 low (+3), 2 info (+0).

Published to npm: 2014-05-27