Affected versions of
windows-cpu will execute arbitrary code passed into the first argument of the
findLoad method, resulting in remote code execution.
Proof of Concept
var win = require('windows-cpu'); wind.findLoad('foo & calc.exe');
This package has not been updated since 2015, and it is therefore unlikely that a direct patch will be issued.
At this time, the best solution is to avoid passing user input into
findLoad(). If that is a necessity, the next best solution is to pass run the user input through a module that escapes shell command arguments, such as