CVE-2021-23330: Command injection in launchpad
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.937%
CWE
Published
4/13/2021
Updated
1/27/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
launchpad | npm | <= 0.7.5 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability manifests in command construction patterns across multiple files: 1) In instance.js
, the stop method builds shell commands using user-controlled process
names without proper sanitization. 2) In version.js
, browser command paths are concatenated directly into execution commands. The pull request #124 specifically addresses these areas by implementing input sanitization (safe()
function) and switching from exec
to execFile
. The PoC demonstrates exploitation through the Instance
constructor and getPid
method, which ties to the vulnerable command construction in instance.js
.