CVE-2020-15123

Name: CVE-2020-15123
Creator: NVD / NIST
Published: 2020-07-20T18:15:12.25+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.3/10EPSS 3.81%

Last modified Jun 17, 2026

CVE-2020-15123 is a critical-severity vulnerability rated 9.3/10 on the CVSS scale. In codecov (npm package) before version 3.7.1 the upload method has a command injection vulnerability. Clients of the codecov-node library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability. EPSS estimates a 3.81% chance of exploitation in the next 30 days.

Description

In codecov (npm package) before version 3.7.1 the upload method has a command injection vulnerability. Clients of the codecov-node library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability. A similar CVE (CVE-2020-7597 for GHSA-5q88-cjfq-g2mh) was issued but the fix was incomplete. It only blocked &, and command injection is still possible using backticks instead to bypass the sanitizer. The attack surface is low in this case. Particularly in the standard use of codecov, where the module is used directly in a build pipeline, not built against as a library in another application that may supply malicious input and perform command injection.

Metrics

CVSS 3.1

9.3/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

EPSS Probability

3.81%

88.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Codecov	Codecov	< 3.7.1

References

https://github.com/advisories/GHSA-5q88-cjfq-g2mhThird Party Advisory
https://github.com/codecov/codecov-node/commit/c0711c656686e902af2cd92d6aecc8074de4d83dPatch, Third Party Advisory
https://github.com/codecov/codecov-node/pull/180Third Party Advisory
https://github.com/codecov/codecov-node/security/advisories/GHSA-xp63-6vf5-xf3vThird Party Advisory
https://lgtm.com/query/7714424068617023832Exploit, Third Party Advisory
https://github.com/advisories/GHSA-5q88-cjfq-g2mhThird Party Advisory
https://github.com/codecov/codecov-node/commit/c0711c656686e902af2cd92d6aecc8074de4d83dPatch, Third Party Advisory
https://github.com/codecov/codecov-node/pull/180Third Party Advisory
https://github.com/codecov/codecov-node/security/advisories/GHSA-xp63-6vf5-xf3vThird Party Advisory
https://lgtm.com/query/7714424068617023832Exploit, Third Party Advisory

Timeline

Published: Jul 20, 2020
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2020-15123?

How severe is CVE-2020-15123?

CVE-2020-15123 has a CVSS score of 9.3/10 (CRITICAL severity). The EPSS model estimates a 3.81% probability of exploitation in the next 30 days.

How do I fix CVE-2020-15123?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2020-15123?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST