pidusage@1.1.1 vulnerabilities

Cross-platform process cpu % and memory usage of a PID

Direct Vulnerabilities

Known vulnerabilities in the pidusage package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Arbitrary Command Injection

pidusage is a package for Cross-platform process cpu % and memory usage of a PID. Affected versions of the package are vulnerable to Arbitrary Command Injection. It passes user input to child_process.exec without sanitization, which causes a command injection vulnerability in the ps function due to never casting the PID to an integer.

PoC:

var pid = require('pidusage');
pid.stat('1 && /usr/local/bin/python');

How to fix Arbitrary Command Injection?

Upgrade pidusage to version 1.1.5 or higher.

<1.1.5