CVE-2017-16034
Command Injection in pidusage
Description
Affected versions of `pidusage` pass unsanitized input to `child_process.exec()`, resulting in arbitrary code execution in the `ps` method. This package is vulnerable to this PoC on Darwin, SunOS, FreeBSD, and AIX. Windows and Linux are not vulnerable. ## Proof of Concept ``` var pid = require('pidusage'); pid.stat('1 && /usr/local/bin/python'); ``` ## Recommendation Update to version 1.1.5 or later.
How to fix CVE-2017-16034
To remediate CVE-2017-16034, upgrade the affected package to a fixed version below.
- npm/pidusage—upgrade to 1.1.5 or later
Is CVE-2017-16034 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2017-16034.
Affected packages (1)
- from 0, < 1.1.5