7.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-23375

GHSA ID

GHSA-m8fm-mv5w-33pv

EPSS Score

0.73186%

CWE

CWE-77

Published

5/6/2021

Updated

1/27/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-23375

CVE-2021-23375: Command Injection in psnode

This affects all current versions of package psnode. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.

(GitHub Advisory)

7.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-23375

GHSA ID

GHSA-m8fm-mv5w-33pv

EPSS Score

0.73186%

CWE

CWE-77

Published

5/6/2021

Updated

1/27/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
psnode	npm	<= 0.0.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The kill function directly interpolates user-controlled 'pid' input into a system command string passed to child_process.exec. This allows attackers to inject arbitrary commands via shell metacharacters (e.g., '; rm -rf /'). The vulnerability is confirmed by: 1) Advisory description explicitly citing the kill function 2) Code showing unsafe command construction 3) Proof-of-concept demonstrating successful injection 4) CWE-77 classification matching the pattern of unsanitized exec usage.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is *****ts *ll *urr*nt v*rsions o* p**k*** psno**. I* *tt**k*r-*ontroll** us*r input is *iv*n to t** kill *un*tion, it is possi*l* *or *n *tt**k*r to *x**ut* *r*itr*ry *omm*n*s. T*is is *u* to us* o* t** **il*_pro**ss *x** *un*tion wit*out input s*

Reasoning

T** kill `*un*tion` *ir**tly int*rpol*t*s us*r-*ontroll** 'pi*' input into * syst*m *omm*n* strin* p*ss** to `**il*_pro**ss.*x**`. T*is *llows *tt**k*rs to inj**t *r*itr*ry *omm*n*s vi* s**ll m*t****r**t*rs (*.*., '; rm -r* /'). T** vuln*r**ility is

7.3

Basic Information

Concerned about an active attack path?

CVE-2021-23375: Command Injection in psnode

7.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI