Nutmeg Pumpkin Macchiato
Severity: critical

Command Injection



Affected versions of pidusage pass unsanitized input to child_process.exec(), resulting in arbitrary code execution in the ps method.

This package is vulnerable to this PoC on Darwin, SunOS, FreeBSD, and AIX.

Windows and Linux are not vulnerable.

Proof of Concept

var pid = require('pidusage');
pid.stat('1 && /usr/local/bin/python');


Update to version 1.1.5 or later.

Advisory timeline

  1. published

    Advisory published
    Jun 5th, 2017
  2. reported

    May 30th, 2017