VYPR
← All advisories
Critical severityNVD Advisory· Published Jun 7, 2018· Updated Sep 17, 2024

CVE-2017-16100

CVE-2017-16100

Description

dns-sync's resolve() method runs a shell command with unsanitized hostname input, enabling command injection before fix in 0.1.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

dns-sync's resolve() method runs a shell command with unsanitized hostname input, enabling command injection before fix in 0.1.1.

Vulnerability

In dns-sync, a synchronous DNS resolver for Node.js, the resolve() method constructs a shell command using util.format with the user-supplied hostname parameter. Before version 0.1.1, no validation is performed on the input, allowing an attacker to inject arbitrary shell commands via crafted hostname strings. The vulnerable code path is triggered whenever untrusted user input is passed directly to resolve() [1][2][3].

Exploitation

An attacker only needs to supply a malicious hostname to the resolve() function. No authentication or special network position is required; any application using dns-sync and exposing user-controlled input to this method can be exploited. For example, passing a hostname value containing backticks or shell metacharacters (e.g., ; or $()) will be executed as part of the shell command [1][2][3].

Impact

Successful exploitation results in arbitrary command execution on the server running the Node.js application. The attacker gains the privileges of the Node.js process, which can lead to full system compromise, data exfiltration, or further lateral movement [1][3].

Mitigation

The vulnerability is fixed in dns-sync version 0.1.1, released after the commit d9abaae384b198db1095735ad9c1c73d7b890a0d added a hostname validation regex check. All users should upgrade to 0.1.1 or later. There is no known workaround other than sanitizing input before calling resolve() [3][4].

References
  1. NVD - CVE-2017-16100
  2. Issues · skoranga/node-dns-sync
  3. CVE-2017-16100 - GitHub Advisory Database
  4. adding validation check for hostname · skoranga/node-dns-sync@d9abaae

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
dns-syncnpm
< 0.1.10.1.1

Affected products

2
  • ghsa-coords
    pkg:npm/dns-sync
    Range: < 0.1.1
  • HackerOne/dns-sync node modulev5
    Range: All versions

Patches

1
d9abaae384b1

adding validation check for hostname

https://github.com/skoranga/node-dns-syncSanjeev KorangaNov 10, 2014via ghsa
commit
3 files changed · +25 7
  • lib/dns-sync.js+14 2 modified
    @@ -6,15 +6,27 @@ var net = require('net'),
     shell = require('shelljs'),
     debug = require('debug')('dns-sync');
 
+//source - http://stackoverflow.com/questions/106179/regular-expression-to-match-dns-hostname-or-ip-address
+var ValidHostnameRegex = new RegExp("^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$");
+
+function isValidHostName(hostname) {
+    return ValidHostnameRegex.test(hostname);
+}
 /**
  * Resolve hostname to IP address,
  * returns null in case of error
  */
 module.exports = {
     resolve: function resolve(hostname) {
         var output,
-            nodeBinary = process.execPath,
-            scriptPath = path.join(__dirname, "../scripts/dns-lookup-script"),
+            nodeBinary = process.execPath;
+
+        if (!isValidHostName(hostname)) {
+            console.error('Invalid hostname:', hostname);
+            return null;
+        }
+
+        var scriptPath = path.join(__dirname, "../scripts/dns-lookup-script"),
             response,
             cmd = util.format('"%s" "%s" %s', nodeBinary, scriptPath, hostname);
  • package.json+5 5 modified
    @@ -1,6 +1,6 @@
 {
   "name": "dns-sync",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "description": "dns-sync",
   "main": "index.js",
   "scripts": {
@@ -20,11 +20,11 @@
   "license": "MIT",
   "readmeFilename": "README.md",
   "dependencies": {
-    "debug" : "~0.7",
-    "shelljs": "~0.2"
+    "debug" : "^2",
+    "shelljs": "~0.3"
   },
   "devDependencies": {
-    "mocha" : "~1",
-    "jshint" : "*"
+    "mocha" : "^1",
+    "jshint" : "^2"
   }
 }
  • test/test.js+6 0 modified
    @@ -16,4 +16,10 @@ describe('dns sync', function () {
         assert.ok(!dnsSync.resolve('www.not-google.first'));
         assert.ok(!dnsSync.resolve('www.hello-yahoo.next'));
     });
+
+    it('should fail to resolve valid dns', function () {
+        assert.ok(!dnsSync.resolve("$(id > /tmp/foo)'"));
+        assert.ok(!dnsSync.resolve("cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c \"echo date\"; cat /tmp/echo"));
+        assert.ok(!dnsSync.resolve("$(grep -l -z '[^)]=() {' /proc/[1-9]*/environ | cut -d/ -f3)'"));
+    });
 });

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

10

News mentions

0

No linked articles in our index yet.