Command injection in node-dns-sync
dns-sync through 0.2.0 allows execution of arbitrary commands . This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input.
Advisories for Npm/Dns-Sync package
2020
2018
Command Injection
If untrusted user input is allowed into the resolve() method then command injection is possible.
2017
Command Injection
If untrusted user input is allowed into the resolve() method then command injection is possible.
2015
dns-sync Command Injection
The dns-sync library for node.js allows resolving hostnames in a synchronous fashion. dns-sync is vulnerable to arbitrary command execution via maliciously formed hostnames. This is caused by the hostname being passed through a shell as part of a command execution.