CVE-2017-16034

Command Injection in pidusage

Published: 9/1/2020Modified: 11/8/2023

Description

Affected versions of `pidusage` pass unsanitized input to `child_process.exec()`, resulting in arbitrary code execution in the `ps` method. This package is vulnerable to this PoC on Darwin, SunOS, FreeBSD, and AIX. Windows and Linux are not vulnerable. ## Proof of Concept ``` var pid = require('pidusage'); pid.stat('1 && /usr/local/bin/python'); ``` ## Recommendation Update to version 1.1.5 or later.

Affected packages (1)

npm/pidusagefrom 0, < 1.1.5

References (2)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-16034
WEBhttps://www.npmjs.com/advisories/356