Description
node-dns-sync (npm module dns-sync) through 0.2.0 allows execution of arbitrary commands . This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This has been fixed in 0.2.1.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_confirm
https://github.com/skoranga/node-dns-sync/security/advisories/GHSA-wh69-wc6q-7888
Patch, Third Party Advisory x_refsource_misc
https://github.com/skoranga/node-dns-sync/commit/cb10a5ac7913eacc031ade7d91596277f31645dc
Scores
CVSS v3
8.6
EPSS
0.0262
EPSS Percentile
83.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Details
CWE
CWE-77
CWE-94
Status
published
Products (2)
node-dns-sync_project/node-dns-sync
< 0.2.1
npm/dns-sync
0.1.3 - 0.2.1npm
Published
May 28, 2020
Tracked Since
Feb 18, 2026