Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXBtdjYtZ2Y5OC1wM3I1

Command Injection in kill-port

Versions of kill-port prior to 1.3.2 are vulnerable to Command Injection. The package does not validate user input on the kill function. This may allow attackers to run arbitrary commands in the system if user input (such as the port number) is passed directly to the function.

Recommendation

Upgrade to version 1.3.2 or later.

Permalink: https://github.com/advisories/GHSA-pmv6-gf98-p3r5
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXBtdjYtZ2Y5OC1wM3I1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 5 years ago
Updated: about 1 year ago


CVSS Score: 8.1
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Percentage: 0.00429
EPSS Percentile: 0.74736

Identifiers: GHSA-pmv6-gf98-p3r5, CVE-2019-5414
References: Blast Radius: 27.8

Affected Packages

npm:kill-port
Dependent packages: 274
Dependent repositories: 2,703
Downloads: 817,826 last month
Affected Version Ranges: < 1.3.2
Fixed in: 1.3.2
All affected versions: 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.3.1
All unaffected versions: 1.3.2, 1.4.0, 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.6.1, 2.0.0, 2.0.1