CVE-2017-1000220 — PIDUsage Enables OS Command Injection

Description

### Overview Affected versions of pidusage pass unsanitized input to `child_process.exec()`, resulting in arbitrary code execution in the `ps` method. This package is vulnerable to this PoC on Darwin, SunOS, FreeBSD, and AIX. Windows and Linux are not vulnerable. ### Proof of Concept ```js var pid = require('pidusage'); pid.stat('1 && /usr/local/bin/python'); ``` ### Remediation Update to version 1.1.5 or later.

How to fix CVE-2017-1000220

To remediate CVE-2017-1000220, upgrade the affected package to a fixed version below.

—upgrade to 1.1.5 or later

Is CVE-2017-1000220 being exploited?

Moderate — EPSS is 11.8%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

from 0, < 1.1.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-1000220
PATCHgithub.com/soyuka/pidusage
WEBgithub.com/soyuka/pidusage/commit/b70eca15f7ca7f1b82a15f8a5d4bb48737f5a89d
WEBweb.archive.org/web/20201208183910/https://www.npmjs.com/advisories/356