CVE-2021-23380
MEDIUMroar-pidusage - OS Command Injection via Unsanitized Input to stat Function
Title source: llmDescription
This affects all versions of package roar-pidusage. If attacker-controlled user input is given to the stat function of this package on certain operating systems, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JS-ROARPIDUSAGE-1078528
Broken Link x_refsource_misc
https://github.com/Svjard/pidusage/blob/772cd2bd675ff7b1244b6fe3d7541692b1b9e42c/lib/stats.js%23L103
Scores
CVSS v3
5.6
EPSS
0.0115
EPSS Percentile
62.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Details
CWE
CWE-78
Status
published
Products (2)
npm/roar-pidusage
0npm
roar-pidusage_project/roar-pidusage
Published
Apr 18, 2021
Tracked Since
Feb 18, 2026