Impact
An Arbitrary Command Injection vulnerability was reported in portprocesses impacting versions <= 1.0.4.
Example (Proof of Concept)
The following example demonstrates the vulnerability and will run touch success therefore creating a file named success.
const portprocesses = require("portprocesses");
portprocesses.killProcess("$(touch success)");
Patches
This vulnerability was patched in version 1.0.5.
Workarounds
Users can ensure all arguments being passed to portprocesses are sanitized and not malicious.
Credit
Thanks to the following for reporting and assisting with patching this vulnerability.
For more information
If you have any questions or comments about this advisory:
Impact
An Arbitrary Command Injection vulnerability was reported in
portprocessesimpacting versions <= 1.0.4.Example (Proof of Concept)
The following example demonstrates the vulnerability and will run
touch successtherefore creating a file namedsuccess.Patches
This vulnerability was patched in version 1.0.5.
Workarounds
Users can ensure all arguments being passed to
portprocessesare sanitized and not malicious.Credit
Thanks to the following for reporting and assisting with patching this vulnerability.
For more information
If you have any questions or comments about this advisory: