severity_rating: high created_at: 2018-08-02 09:38:03 vendor: nodejs-ecosystem https://hackerone.com/nodejs-ecosystem bounty_amount:

I would like to report a command injection vulnerability in kill-port. It allows an attacker to inject arbitrary commands.

Module

module name: kill-port
version: 1.3.1
npm page: https://www.npmjs.com/package/kill-port

Module Description

Kill the process running on given port

Module Stats

5,282 downloads in the last week

Vulnerability

Vulnerability Description

If an attacker can control the port, which in itself is a very sensitive value, he can inject arbitrary OS commands due to the usage of exec in a third-party module.

Steps To Reproduce:

const kill = require('kill-port');
kill("23;`touch ./success.txt; 2222222222`");

Patch

N/A replace exec (through execa.shell) with spawn

Supporting Material/References:

Wrap up

• I contacted the maintainer to let them know: N
• I opened an issue in the related repository: N

Impact

She can inject arbitrary commands. However, I assume that the real impact is not that high, since for most usages of the package I do not expect the user to be able to control the port value.