Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXBtdjYtZ2Y5OC1wM3I1
Command Injection in kill-port
Versions of kill-port
prior to 1.3.2 are vulnerable to Command Injection. The package does not validate user input on the kill
function. This may allow attackers to run arbitrary commands in the system if user input (such as the port number) is passed directly to the function.
Recommendation
Upgrade to version 1.3.2 or later.
Permalink: https://github.com/advisories/GHSA-pmv6-gf98-p3r5JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXBtdjYtZ2Y5OC1wM3I1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 5 years ago
Updated: about 1 year ago
CVSS Score: 8.1
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Percentage: 0.00429
EPSS Percentile: 0.74736
Identifiers: GHSA-pmv6-gf98-p3r5, CVE-2019-5414
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-5414
- https://hackerone.com/reports/389561
- https://github.com/advisories/GHSA-pmv6-gf98-p3r5
- https://www.npmjs.com/advisories/966
Affected Packages
npm:kill-port
Dependent packages: 274Dependent repositories: 2,703
Downloads: 817,826 last month
Affected Version Ranges: < 1.3.2
Fixed in: 1.3.2
All affected versions: 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.3.1
All unaffected versions: 1.3.2, 1.4.0, 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.6.1, 2.0.0, 2.0.1