Command Injection

Module: pidusage

Published: June 5th, 2017

Reported by: micaksica

CVE-NONE

CWE-94

Vulnerable: <=1.1.4
Patched: >=1.1.5

Overview

Affected versions of pidusage pass unsanitized input to child_process.exec(), resulting in arbitrary code execution in the ps method.

This package is vulnerable to this PoC on Darwin, SunOS, FreeBSD, and AIX.

Windows and Linux are not vulnerable.

Proof of Concept

var pid = require('pidusage');
pid.stat('1 && /usr/local/bin/python');

Remediation

Update to version 1.1.5 or later.