node-windows@0.1.11 vulnerabilities

Support for Windows services, event logging, UAC, and several helper methods for interacting with the OS.

Direct Vulnerabilities

Known vulnerabilities in the node-windows package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Command Injection

node-windows is a Support for Windows services, event logging, UAC, and several helper methods for interacting with the OS.

Affected versions of this package are vulnerable to Command Injection due to missing input validation in the exec function located in `lib/cmd.js' file. An attacker is able to concatenate PID parameter with a malicious command that will be executed.

POC:

var wincmd = require('node-windows');

wincmd.kill("12345; calc.exe", function(){
    console.log('Process Killed');
});

Note: This vulnerability is only relevant for Windows OS.

How to fix Command Injection?

Upgrade node-windows to version 1.0.0-beta.6 or higher.

<1.0.0-beta.6