9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.022 Low
EPSS
Percentile
87.7%
I would like to report a command injection vulnerability in the kill-port-process package. It allows an attacker to inject arbitrary commands.
module name: kill-port-processversion:1.1.0npm page: https://www.npmjs.com/package/kill-port-process
0 downloads in the last day
138 downloads in the last week
660 downloads in the last month
The attacker can control the port number. Then He/She can insert a shell command instead of a port number. The root user is the only user execute kill command on the OS, thus root will execute an arbitrary command.
Installing the module: npm install kill-port-process -E
Following the example in the npm page:
const killPortProcess = require('kill-port-process');
const PORT = "$(<Shell Command>)";
await killPortProcess(PORT);
CLI mode:
kill-port "$(<Shell Command>)"
In the file src/lib/killer.ts:
Replace: import { exec } from 'child_process'
To: import { spawn } from 'child_process'
An attacker can execute arbitrary commands on the victim’s machine.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.022 Low
EPSS
Percentile
87.7%