Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXBtdjYtZ2Y5OC1wM3I1
Command Injection in kill-port
Versions of kill-port prior to 1.3.2 are vulnerable to Command Injection. The package does not validate user input on the kill function. This may allow attackers to run arbitrary commands in the system if user input (such as the port number) is passed directly to the function.
Recommendation
Upgrade to version 1.3.2 or later.
Permalink: https://github.com/advisories/GHSA-pmv6-gf98-p3r5JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXBtdjYtZ2Y5OC1wM3I1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 5 years ago
Updated: about 1 year ago
CVSS Score: 8.1
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-pmv6-gf98-p3r5, CVE-2019-5414
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-5414
- https://hackerone.com/reports/389561
- https://github.com/advisories/GHSA-pmv6-gf98-p3r5
- https://www.npmjs.com/advisories/966
Affected Packages
npm:kill-port
Dependent packages: 274Dependent repositories: 2,703
Downloads: 832,676 last month
Affected Version Ranges: < 1.3.2
Fixed in: 1.3.2
All affected versions: 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.3.1
All unaffected versions: 1.3.2, 1.4.0, 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.6.1, 2.0.0, 2.0.1