Description
This affects the package portprocesses before 1.0.5. If (attacker-controlled) user input is given to the killProcess function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
References (4)
Core 4
Core References
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JS-PORTPROCESSES-1078536
Broken Link x_refsource_misc
https://github.com/rrainn/PortProcesses/blob/fffceb09aff7180afbd0bd172e820404b33c8299/index.js%23L23
Exploit, Third Party Advisory x_refsource_misc
https://github.com/rrainn/PortProcesses/security/advisories/GHSA-vm67-7vmg-66vm
Patch, Third Party Advisory x_refsource_misc
https://github.com/rrainn/PortProcesses/commit/86811216c9b97b01b5722f879f8c88a7aa4214e1
Scores
CVSS v3
6.3
EPSS
0.0182
EPSS Percentile
76.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Details
CWE
CWE-78
Status
published
Products (2)
npm/portprocesses
0 - 1.0.5npm
portprocesses_project/portprocesses
< 1.0.5
Published
Mar 31, 2021
Tracked Since
Feb 18, 2026