Severity: high

Command Execution

windows-cpu

Overview

Version of windows-cpu before 0.1.5 will execute arbitrary code passed into the first argument of the findLoad method, resulting in remote code execution.

Proof of Concept

var win = require('windows-cpu');
wind.findLoad('foo & calc.exe');

Remediation

Update to version 0.1.5 or later.

Advisory timeline

  1. published

    Advisory published
    May 19th, 2017
  2. reported

    Apr 17th, 2017