Command Injection Affecting find-process package, versions <1.4.5
Snyk CVSS
Attack Complexity
Low
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-FINDPROCESS-1090284
- published 25 Jun 2021
- disclosed 1 Apr 2021
- credit Unknown
How to fix?
Upgrade find-process to version 1.4.5 or higher.
Overview
find-process is a find process info by port/pid/name etc.
Affected versions of this package are vulnerable to Command Injection. When getting the information by PID and port number, the user needs to inform a value, which is used in a concatenation of an OS command. There is no user input check to know if the PID or the port is a number, as such, an attacker may send a malicious string that will be interpreted as an OS command.