Arbitrary Command Injection

Affecting psnode package, ALL versions

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

psnode is an A Node.js KISS module to list and kill process on OSX and Windows.

Affected versions of this package are vulnerable to Arbitrary Command Injection. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.

PoC (provided by reporter):

var psnode = require('psnode');
psnode.kill('$(touch success)', function() {});

(A file called success will be created as a result of the execution of touch success.)

Remediation

There is no fixed version for psnode.

References

CVSS Score

7.3
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    Low
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P
Credit
OmniTaint
CVE
CVE-2021-23375
CWE
CWE-77
Snyk ID
SNYK-JS-PSNODE-1078543
Disclosed
18 Apr, 2021
Published
18 Apr, 2021