Command Injection

Module: pidusage

Published: June 5th, 2017

Reported by: micaksica



Vulnerable: <=1.1.4
Patched: >=1.1.5


pidusage is a module for cross-platform process cpu % and memory usage of a PID.

The pidusage module passes unsanitized input to child_process.exec, resulting in command injection in the ps method, as the pid is never cast to an integer as the comment expects. This module is vulnerable to this PoC on Darwin, SunOS, FreeBSD, and AIX. Windows and Linux are not vulnerable.

Proof of Concept:

var pid = require('pidusage');
pid.stat('1 && /usr/local/bin/python');


Update to version 1.1.5 or later.

Otherwise, before passing any untrusted data to the stat function, ensure that the data is sanitized using a proper shell escaping library. Note that Windows and Linux are not vulnerable.

Sign up FREE for
nsp Continuous Security

Free for open source and the first private repo,
then just $1/mo per private repo