Arbitrary Command Injection Affecting ps-kill package, versions *
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.46% (76th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-PSKILL-1078529
- published 15 Mar 2021
- disclosed 23 Feb 2021
- credit OmniTaint
Introduced: 23 Feb 2021
CVE-2021-23355 Open this link in a new tabHow to fix?
There is no fixed version for ps-kill
.
Overview
ps-kill is a Kill processes with ease
Affected versions of this package are vulnerable to Arbitrary Command Injection. If (attacker-controlled) user input is given to the kill
function, it is possible for an attacker to execute arbitrary commands.
This is due to use of the child_process
exec
function without input sanitization in the index.js
file.
PoC (provided by reporter):
var ps_kill = require('ps-kill');
ps_kill.kill('$(touch success)',function(){});
CVSS Scores
version 3.1