Command Injection Affecting node-windows package, versions <1.0.0-beta.6


Severity

0.0
high
0
10

    Threat Intelligence

    Exploit Maturity
    Proof of concept
    EPSS
    0.19% (57th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-NODEWINDOWS-2322882
  • published 23 Dec 2021
  • disclosed 22 Dec 2021
  • credit Dwi Siswanto

How to fix?

Upgrade node-windows to version 1.0.0-beta.6 or higher.

Overview

node-windows is a Support for Windows services, event logging, UAC, and several helper methods for interacting with the OS.

Affected versions of this package are vulnerable to Command Injection due to missing input validation in the exec function located in `lib/cmd.js' file. An attacker is able to concatenate PID parameter with a malicious command that will be executed.

POC:

var wincmd = require('node-windows');

wincmd.kill("12345; calc.exe", function(){ console.log('Process Killed'); });

Note: This vulnerability is only relevant for Windows OS.

CVSS Scores

version 3.1
Expand this section

Snyk

7 high
  • Attack Vector (AV)
    Local
  • Attack Complexity (AC)
    High
  • Privileges Required (PR)
    Low
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    High
Expand this section

NVD

9.8 critical