Skip to content

Command Injection in pidusage

Critical severity GitHub Reviewed Published Sep 1, 2020 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

npm pidusage (npm)

Affected versions

<= 1.1.4

Patched versions

1.1.5

Description

Affected versions of pidusage pass unsanitized input to child_process.exec(), resulting in arbitrary code execution in the ps method.

This package is vulnerable to this PoC on Darwin, SunOS, FreeBSD, and AIX.

Windows and Linux are not vulnerable.

Proof of Concept

var pid = require('pidusage');
pid.stat('1 && /usr/local/bin/python');

Recommendation

Update to version 1.1.5 or later.

References

Reviewed Aug 31, 2020
Published to the GitHub Advisory Database Sep 1, 2020
Last updated Jan 9, 2023

Severity

Critical

Weaknesses

CVE ID

CVE-2017-16034

GHSA ID

GHSA-hfq9-rfpv-j8r8

Source code

No known source code
Checking history
See something to contribute? Suggest improvements for this vulnerability.