CVE-2018-16460

Name of the Vulnerable Software and Affected Versions ps versions prior to 1.0.0

Description A command injection issue in the ps package for Node.js allows arbitrary commands to be executed when an attacker controls the PID. This can be exploited by manipulating the pid variable in the lookup function, enabling the execution of malicious commands. For instance, an attacker could use the pid variable to execute a command like $(touch success.txt), resulting in the creation of a file named success.txt on the filesystem.

Recommendations Update to version 1.0.0 or later. As a temporary workaround, consider restricting the use of the lookup function with user-controlled input until a patch is applied. Avoid using the pid variable in the lookup function with untrusted input to minimize the risk of exploitation.