PT-2020-9135 · Npm · Lsof

Published

2020-01-29

Updated

2021-04-13

CVE-2019-10783

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions lsof npm module versions 0.0.4 and earlier

Description The issue concerns Command Injection, where every exported method used by the package utilizes the exec function to parse user input, making all versions including 0.0.4 of the lsof npm module vulnerable.

Recommendations For versions 0.0.4 and earlier, consider disabling the use of the exec function to parse user input until a patch is available. Restrict access to the vulnerable methods to minimize the risk of exploitation. Avoid using the lsof npm module in sensitive operations until the issue is resolved.

Exploit

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2019-10783

GHSA-WHQ6-MJ2R-MJQC

SNYK-JS-LSOF-543632

Affected Products

Lsof

PT-2020-9135 · Npm · Lsof

CVE-2019-10783

Weakness Enumeration

Related Identifiers

Affected Products

References · 5