Severity: critical

Command Injection



Affected versions of pidusage pass unsanitized input to child_process.exec(), resulting in arbitrary code execution in the ps method.

This package is vulnerable to this PoC on Darwin, SunOS, FreeBSD, and AIX.

Windows and Linux are not vulnerable.

Proof of Concept

var pid = require('pidusage');
pid.stat('1 && /usr/local/bin/python');


Update to version 1.1.5 or later.

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory published
    Jun 5th, 2017
  2. reported

    Initial report by micaksica
    May 30th, 2017