CVE-2021-45459
CRITICALnode-windows < 1.0.0-beta.6 - Command Injection via PID Parameter
Title source: llmDescription
lib/cmd.js in the node-windows package before 1.0.0-beta.6 for Node.js allows command injection via the PID parameter.
References (3)
Core 3
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/coreybutler/node-windows/compare/1.0.0-beta.5...1.0.0-beta.6
Exploit, Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://github.com/dwisiswant0/advisory/issues/4
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20220107-0004/
Scores
CVSS v3
9.8
EPSS
0.0406
EPSS Percentile
89.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-77
Status
published
Products (3)
node-windows_project/node-windows
1.0.0 beta1 (5 CPE variants)
node-windows_project/node-windows
< 0.1.14
npm/node-windows
0 - 1.0.0-beta.6npm
Published
Dec 22, 2021
Tracked Since
Feb 18, 2026