Description

The traceroute (aka node-traceroute) package through 1.0.0 for Node.js allows remote command injection via the host parameter. This occurs because the Child.exec() method, which is considered to be not entirely safe, is used. In particular, an OS command can be placed after a newline character.

Remediation

References

https://github.com/jaw187/node-traceroute/tags

https://snyk.io/vuln/npm:traceroute:20160311

https://www.npmjs.com/package/traceroute

https://www.linkedin.com/posts/op-innovate_shell-command-injection-through-traceroute-activity-6678956453086191616-Rcpy

https://www.op-c.net/2020/06/17/shell-command-injection-through-traceroute-npm-package/

https://www.npmjs.com/advisories/1465

https://github.com/jaw187/node-traceroute/commit/b99ee024a01a40d3d20a92ad3769cc78a3f6386f

https://medium.com/%40shay_62828/shell-command-injection-through-traceroute-npm-package-a4cf7b6553e3

Related Vulnerabilities

CVE-2016-10551 Vulnerability in npm package waterline-sequel

CVE-2018-1270 Vulnerability in maven package org.springframework:spring-messaging

CVE-2020-28469 Vulnerability in npm package glob-parent

CVE-2018-3714 Vulnerability in npm package node-srv

CVE-2023-42795 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

Severity

Critical

Classification

CWE-74 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory Exploit Product Patch