Critical severityNVD Advisory· Published Feb 28, 2015· Updated May 6, 2026

CVE-2014-9682

Description

The dns-sync module before 0.1.1 for node.js allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the first argument to the resolve API function.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
dns-syncnpm	< 0.1.1	0.1.1

Affected products

Dns Sync Project/DNS Sync
cpe:2.3:a:dns-sync_project:dns-sync:*:*:*:*:*:node.js:*:*
Range: <=0.1.0

Patches

d9abaae384b1

adding validation check for hostname

https://github.com/skoranga/node-dns-syncSanjeev KorangaNov 10, 2014via ghsa

commit

3 files changed · +25 −7

lib/dns-sync.js+14 −2 modified

@@ -6,15 +6,27 @@ var net = require('net'),
     shell = require('shelljs'),
     debug = require('debug')('dns-sync');
 
+//source - http://stackoverflow.com/questions/106179/regular-expression-to-match-dns-hostname-or-ip-address
+var ValidHostnameRegex = new RegExp("^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$");
+
+function isValidHostName(hostname) {
+    return ValidHostnameRegex.test(hostname);
+}
 /**
  * Resolve hostname to IP address,
  * returns null in case of error
  */
 module.exports = {
     resolve: function resolve(hostname) {
         var output,
-            nodeBinary = process.execPath,
-            scriptPath = path.join(__dirname, "../scripts/dns-lookup-script"),
+            nodeBinary = process.execPath;
+
+        if (!isValidHostName(hostname)) {
+            console.error('Invalid hostname:', hostname);
+            return null;
+        }
+
+        var scriptPath = path.join(__dirname, "../scripts/dns-lookup-script"),
             response,
             cmd = util.format('"%s" "%s" %s', nodeBinary, scriptPath, hostname);

package.json+5 −5 modified

@@ -1,6 +1,6 @@
 {
   "name": "dns-sync",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "description": "dns-sync",
   "main": "index.js",
   "scripts": {
@@ -20,11 +20,11 @@
   "license": "MIT",
   "readmeFilename": "README.md",
   "dependencies": {
-    "debug" : "~0.7",
-    "shelljs": "~0.2"
+    "debug" : "^2",
+    "shelljs": "~0.3"
   },
   "devDependencies": {
-    "mocha" : "~1",
-    "jshint" : "*"
+    "mocha" : "^1",
+    "jshint" : "^2"
   }
 }

test/test.js+6 −0 modified

@@ -16,4 +16,10 @@ describe('dns sync', function () {
         assert.ok(!dnsSync.resolve('www.not-google.first'));
         assert.ok(!dnsSync.resolve('www.hello-yahoo.next'));
     });
+
+    it('should fail to resolve valid dns', function () {
+        assert.ok(!dnsSync.resolve("$(id > /tmp/foo)'"));
+        assert.ok(!dnsSync.resolve("cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c \"echo date\"; cat /tmp/echo"));
+        assert.ok(!dnsSync.resolve("$(grep -l -z '[^)]=() {' /proc/[1-9]*/environ | cut -d/ -f3)'"));
+    });
 });

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-q5pq-pgrv-fh89ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2014-9682ghsaADVISORY
www.openwall.com/lists/oss-security/2014/11/11/6nvdWEB
github.com/skoranga/node-dns-sync/commit/d9abaae384b198db1095735ad9c1c73d7b890a0dnvdWEB
github.com/skoranga/node-dns-sync/issues/1nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000