Arbitrary Command Injection

Affecting kill-by-port package, versions <0.0.2

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

kill-by-port is a kills process by port

Affected versions of this package are vulnerable to Arbitrary Command Injection. If (attacker-controlled) user input is given to the killByPort function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.

PoC (provided by reporter):

var kill_by_port = require('kill-by-port');

kill_by_port.killByPort('$(touch success)');

A file called success will be created as a result of the execution of touch success.

Remediation

Upgrade kill-by-port to version 0.0.2 or higher.

References

CVSS Score

6.3
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    Low
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P
Credit
OmniTaint
CVE
CVE-2021-23363
CWE
CWE-77
Snyk ID
SNYK-JS-KILLBYPORT-1078531
Disclosed
23 Feb, 2021
Published
30 Mar, 2021