CVE-2017-1000220: PIDUsage Enables OS Command Injection

May 13, 2022 (updated October 16, 2024)

Overview

Affected versions of pidusage pass unsanitized input to child_process.exec(), resulting in arbitrary code execution in the ps method.

This package is vulnerable to this PoC on Darwin, SunOS, FreeBSD, and AIX.

Windows and Linux are not vulnerable.

Proof of Concept

var pid = require('pidusage');
pid.stat('1 && /usr/local/bin/python');

Remediation

Update to version 1.1.5 or later.

References

github.com/advisories/GHSA-h2p3-h48h-9jj7
github.com/soyuka/pidusage
github.com/soyuka/pidusage/commit/b70eca15f7ca7f1b82a15f8a5d4bb48737f5a89d
nvd.nist.gov/vuln/detail/CVE-2017-1000220
web.archive.org/web/20201208183910/https://www.npmjs.com/advisories/356

Code Behaviors & Features

Detect and mitigate CVE-2017-1000220 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →