killport@1.0.0 vulnerabilities

a nodejs module to kill any processes base on its port

Direct Vulnerabilities

Known vulnerabilities in the killport package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Arbitrary Command Injection

killport is an a nodejs module to kill any processes base on its port

Affected versions of this package are vulnerable to Arbitrary Command Injection. If (attacker-controlled) user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.

Running this PoC will cause the command touch success to be executed, leading to the creation of a file called success.

PoC (provided by reporter):

var killport = require('killport');
killport("$(touch success); #");

How to fix Arbitrary Command Injection?

Upgrade killport to version 1.0.2 or higher.

<1.0.2