Skip to content

DLL Injection in kerberos

high severity Published Sep 4, 2020

Package

npm kerberos (npm)

Affected versions

< 1.0.0

Patched versions

1.0.0

Description

Version of kerberos prior to 1.0.0 are vulnerable to DLL Injection. The package loads DLLs without specifying a full path. This may allow attackers to create a file with the same name in a folder that precedes the intended file in the DLL path search. Doing so would allow attackers to execute arbitrary code in the machine.

Recommendation

Upgrade to version 1.0.0 or later.

References

GHSA ID

GHSA-m2mx-rfpw-jghv