Описание
Command Injection in kill-port
Versions of kill-port prior to 1.3.2 are vulnerable to Command Injection. The package does not validate user input on the kill function. This may allow attackers to run arbitrary commands in the system if user input (such as the port number) is passed directly to the function.
Recommendation
Upgrade to version 1.3.2 or later.
Пакеты
Наименование
kill-port
npm
Затронутые версииВерсия исправления
< 1.3.2
1.3.2
Связанные уязвимости
CVSS3: 8.1
nvd
почти 7 лет назад
If an attacker can control the port, which in itself is a very sensitive value, they can inject arbitrary OS commands due to the usage of the exec function in a third-party module kill-port < 1.3.2.