Miggo Logo

CVE-2020-28426: Command injection in kill-process-on-port

7.3

CVSS Score
3.1

Basic Information

EPSS Score
0.90375%
Published
3/19/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
kill-process-on-portnpm<= 1.0.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. Multiple sources (GitHub Advisory, Snyk, NVD) explicitly name a.getProcessPortId as the injection vector
  2. The provided PoC demonstrates command injection through this function's parameter
  3. The package's purpose (killing processes by port) inherently requires executing system commands
  4. CWE-77 classification confirms improper neutralization in command execution
  5. Lack of path information is offset by clear function identification in vulnerability descriptions

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ll v*rsions o* p**k*** kill-pro**ss-on-port *r* vuln*r**l* to *omm*n* Inj**tion vi* *.**tPro**ssPortI*.

Reasoning

*. Multipl* sour**s (*it*u* **visory, Snyk, NV*) *xpli*itly n*m* *.**tPro**ssPortI* *s t** inj**tion v**tor *. T** provi*** Po* **monstr*t*s *omm*n* inj**tion t*rou** t*is *un*tion's p*r*m*t*r *. T** p**k***'s purpos* (killin* pro**ss*s *y port) in**