Affected versions of
pidusage pass unsanitized input to
child_process.exec(), resulting in arbitrary code execution in the
This package is vulnerable to this PoC on Darwin, SunOS, FreeBSD, and AIX.
Windows and Linux are not vulnerable.
Proof of Concept
var pid = require('pidusage'); pid.stat('1 && /usr/local/bin/python');
Update to version 1.1.5 or later.
publishedAdvisory publishedJun 5th, 2017
reportedInitial report by micaksicaMay 30th, 2017