CVE-2017-1000220

CRITICAL9.8EPSS 11.8%

PIDUsage Enables OS Command Injection

Published: 5/13/2022Modified: 10/16/2024

Description

### Overview Affected versions of pidusage pass unsanitized input to `child_process.exec()`, resulting in arbitrary code execution in the `ps` method. This package is vulnerable to this PoC on Darwin, SunOS, FreeBSD, and AIX. Windows and Linux are not vulnerable. ### Proof of Concept ```js var pid = require('pidusage'); pid.stat('1 && /usr/local/bin/python'); ``` ### Remediation Update to version 1.1.5 or later.

Affected packages (1)

npm/pidusagefrom 0, < 1.1.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-1000220
PATCHhttps://github.com/soyuka/pidusage
WEBhttps://github.com/soyuka/pidusage/commit/b70eca15f7ca7f1b82a15f8a5d4bb48737f5a89d
WEBhttps://web.archive.org/web/20201208183910/https://www.npmjs.com/advisories/356