CVE-2021-23360

HIGH

killport < 1.0.2 - OS Command Injection via Unsanitized Input to child_process exec

Title source: llm

Description

This affects the package killport before 1.0.2. If (attacker-controlled) user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization. Running this PoC will cause the command touch success to be executed, leading to the creation of a file called success.

References (3)

Core 3

Core References

Exploit, Patch, Third Party Advisory x_refsource_misc

https://snyk.io/vuln/SNYK-JS-KILLPORT-1078535

Broken Link x_refsource_misc

https://github.com/ssnau/killport/blob/5268f23ea8f152e47182b263d8f7ef20c12a9f28/index.js%23L9

Patch, Third Party Advisory x_refsource_misc

https://github.com/ssnau/killport/commit/bec8e371f170a12e11cd222ffc7a6e1ae9942638

View Patch ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0234

EPSS Percentile 81.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (2)

killport_project/killport < 1.0.2

npm/killport 0 - 1.0.2npm

Published Mar 21, 2021

Tracked Since Feb 18, 2026