pidusage@1.1.3 vulnerabilities

Cross-platform process cpu % and memory usage of a PID

  • latest version

    3.0.2

  • latest non vulnerable version

  • first published

    10 years ago

  • latest version published

    2 years ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the pidusage package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Arbitrary Command Injection

    pidusage is a package for Cross-platform process cpu % and memory usage of a PID. Affected versions of the package are vulnerable to Arbitrary Command Injection. It passes user input to child_process.exec without sanitization, which causes a command injection vulnerability in the ps function due to never casting the PID to an integer.

    PoC:

    var pid = require('pidusage');
    pid.stat('1 && /usr/local/bin/python');
    

    How to fix Arbitrary Command Injection?

    Upgrade pidusage to version 1.1.5 or higher.

    <1.1.5