Vulnerability	Vulnerable Version
M Arbitrary Command Injection kill-by-port is a kills process by port Affected versions of this package are vulnerable to Arbitrary Command Injection. If (attacker-controlled) user input is given to the `killByPort` function, it is possible for an attacker to execute arbitrary commands. This is due to use of the `child_process` `exec` function without input sanitization. PoC (provided by reporter): `var kill_by_port = require('kill-by-port'); kill_by_port.killByPort('$(touch success)');` A file called `success` will be created as a result of the execution of `touch success`. How to fix Arbitrary Command Injection? Upgrade `kill-by-port` to version 0.0.2 or higher.	<0.0.2

Arbitrary Command Injection

kill-by-port is a kills process by port

Affected versions of this package are vulnerable to Arbitrary Command Injection. If (attacker-controlled) user input is given to the killByPort function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.

PoC (provided by reporter):

var kill_by_port = require('kill-by-port');

kill_by_port.killByPort('$(touch success)');

A file called success will be created as a result of the execution of touch success.

How to fix Arbitrary Command Injection?

Upgrade kill-by-port to version 0.0.2 or higher.

<0.0.2

Go back to all versions of this package