-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| pidusage | npm | <= 1.1.4 | 1.1.5 |
Miggo AIRoot Cause AnalysisThe commit diff shows pid = parseInt() was added to the ps function in lib/stats.js to fix the vulnerability. The original code passed user-controlled pid directly into a shell command via child_process.exec(), allowing command injection via PID parameter (as demonstrated in the PoC). The vulnerability specifically manifests in the ps method used by Darwin/BSD systems, while Linux/Windows used other methods (procfs/WMI) that didn't involve command interpolation. The CWE-78 classification and advisory text explicitly point to the ps method's command construction as the injection vector.