Affected versions of pidusage pass unsanitized input to child_process.exec()
, resulting in arbitrary code execution in the ps
method.
This package is vulnerable to this PoC on Darwin, SunOS, FreeBSD, and AIX.
Windows and Linux are not vulnerable.
var pid = require('pidusage');
pid.stat('1 && /usr/local/bin/python');
Update to version 1.1.5 or later.