Miggo Logo

CVE-2021-23375: Command Injection in psnode

7.3

CVSS Score
3.1

Basic Information

EPSS Score
0.73186%
Published
5/6/2021
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
psnodenpm<= 0.0.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The kill function directly interpolates user-controlled 'pid' input into a system command string passed to child_process.exec. This allows attackers to inject arbitrary commands via shell metacharacters (e.g., '; rm -rf /'). The vulnerability is confirmed by: 1) Advisory description explicitly citing the kill function 2) Code showing unsafe command construction 3) Proof-of-concept demonstrating successful injection 4) CWE-77 classification matching the pattern of unsanitized exec usage.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is *****ts *ll *urr*nt v*rsions o* p**k*** psno**. I* *tt**k*r-*ontroll** us*r input is *iv*n to t** kill *un*tion, it is possi*l* *or *n *tt**k*r to *x**ut* *r*itr*ry *omm*n*s. T*is is *u* to us* o* t** **il*_pro**ss *x** *un*tion wit*out input s*

Reasoning

T** kill `*un*tion` *ir**tly int*rpol*t*s us*r-*ontroll** 'pi*' input into * syst*m *omm*n* strin* p*ss** to `**il*_pro**ss.*x**`. T*is *llows *tt**k*rs to inj**t *r*itr*ry *omm*n*s vi* s**ll m*t****r**t*rs (*.*., '; rm -r* /'). T** vuln*r**ility is