CVE-2014-9682: dns-sync command injection vulnerability
10
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.76451%
CWE
Published
10/24/2017
Updated
9/5/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
AV:N/AC:L/Au:N/C:C/I:C/A:C
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
dns-sync | npm | < 0.1.1 | 0.1.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the resolve()
function in lib/dns-sync.js
where user-controlled hostname input was directly interpolated into a shell command string (via util.format
) without validation. The pre-patch code lacked hostname sanitization, enabling attackers to inject commands through shell metacharacters. The commit d9abaae
specifically adds hostname validation to this function to mitigate the injection, and the CVE description explicitly mentions the resolve
API as the attack vector. The shell.exec
call with unsanitized input creates the command injection vulnerability through command string construction.