Critical severity9.8NVD Advisory· Published Nov 17, 2017· Updated May 13, 2026
CVE-2017-1000220
CVE-2017-1000220
Description
soyuka/pidusage <=1.1.4 is vulnerable to command injection in the module resulting in arbitrary command execution
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pidusagenpm | < 1.1.5 | 1.1.5 |
Affected products
1Patches
11 file changed · +9 −5
lib/stats.js+9 −5 modified@@ -14,8 +14,9 @@ var stats = { if(this.cpu !== null) { fs.readFile('/proc/uptime', 'utf8', function(err, uptime) { - if(err) + if(err) { return done(err, null) + } if(uptime === undefined) { console.error("[pidusage] We couldn't find uptime from /proc/uptime") @@ -28,24 +29,26 @@ var stats = { }) } else { helpers.cpu(function(err, cpu) { - if(err) + if(err) { return done(err, null) + } self.cpu = cpu return self.proc_calc(pid, options, done) }) } }, proc_calc: function(pid, options, done) { + pid = parseInt(pid, 10) var history = this.history[pid] ? this.history[pid] : {} var cpu = this.cpu var self = this //Arguments to path.join must be strings fs.readFile(p.join('/proc', ''+pid, 'stat'), 'utf8', function(err, infos) { - - if(err) + if(err) { return done(err, null) + } //https://github.com/arunoda/node-usage/commit/a6ca74ecb8dd452c3c00ed2bde93294d7bb75aa8 //preventing process space in name by removing values before last ) (pid (name) ...) @@ -94,7 +97,7 @@ var stats = { * on solaris 11 can't figure out a way to do this properly so... */ ps: function(pid, options, done) { - + pid = parseInt(pid, 10) var cmd = 'ps -o pcpu,rss -p ' if(os.platform() == 'aix') @@ -117,6 +120,7 @@ var stats = { * This is really in a beta stage */ win: function(pid, options, done) { + pid = parseInt(pid, 10) var history = this.history[pid] ? this.history[pid] : {} // http://social.msdn.microsoft.com/Forums/en-US/469ec6b7-4727-4773-9dc7-6e3de40e87b8/cpu-usage-in-for-each-active-process-how-is-this-best-determined-and-implemented-in-an?forum=csharplanguage var args = 'PROCESS ' + pid + ' get workingsetsize,usermodetime,kernelmodetime'
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- nodesecurity.io/advisories/356nvdExploitMitigationThird Party Advisory
- github.com/advisories/GHSA-h2p3-h48h-9jj7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-1000220ghsaADVISORY
- github.com/soyuka/pidusage/commit/b70eca15f7ca7f1b82a15f8a5d4bb48737f5a89dghsaWEB
- web.archive.org/web/20201208183910/https://www.npmjs.com/advisories/356ghsaWEB
News mentions
0No linked articles in our index yet.