Description
This affects all versions of package port-killer. If (attacker-controlled) user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization. Running this PoC will cause the command touch success to be executed, leading to the creation of a file called success.
Remediation
References
https://github.com/tylerjpeterson/port-killer/blob/1ca3a99ad80cc9ed5498d12b185189c10329025b/index.js%23L19
https://snyk.io/vuln/SNYK-JS-PORTKILLER-1078533
Related Vulnerabilities
CVE-2022-40309 Vulnerability in maven package org.apache.archiva:maven2-repository
CVE-2020-15250 Vulnerability in maven package junit:junit
CVE-2023-4043 Vulnerability in maven package org.eclipse.parsson:project
CVE-2017-16226 Vulnerability in npm package static-eval
CVE-2021-41182 Vulnerability in maven package org.webjars:jquery-ui