Severity: Critical
CVSS Score: 10
All versions of `priest-runner` are vulnerable to Command Injection. The package fails to sanitize input and passes it directly to a `spawn` call, which may allow attackers to execute arbitrary code in the system. The `PriestController.prototype.createChild ` function is vulnerable since the `spawn` parameters come from a POST request body. ## Recommendation No fix is currently available. Consider using an alternative package until a fix is made available.