CVE-2021-23375: Command Injection in psnode
7.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.73186%
CWE
Published
5/6/2021
Updated
1/27/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
psnode | npm | <= 0.0.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The kill function
directly interpolates user-controlled 'pid' input into a system command string passed to child_process.exec
. This allows attackers to inject arbitrary commands via shell metacharacters (e.g., '; rm -rf /'). The vulnerability is confirmed by: 1) Advisory description explicitly citing the kill
function
2) Code showing unsafe command construction 3) Proof-of-concept demonstrating successful injection 4) CWE-77 classification matching the pattern of unsanitized exec
usage.