VYPR
← All advisories
Critical severityNVD Advisory· Published Sep 7, 2018· Updated Sep 17, 2024

CVE-2018-16460

CVE-2018-16460

Description

Command injection in ps npm package <1.0.0 allows arbitrary command execution when attacker controls PID.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Command injection in ps npm package <1.0.0 allows arbitrary command execution when attacker controls PID.

Vulnerability

The ps npm package versions before 1.0.0 are vulnerable to command injection. The ps.lookup function does not properly sanitize the pid parameter, allowing an attacker to inject arbitrary shell commands when controlling the PID argument. [1][2][3]

Exploitation

An attacker can exploit this by providing a malicious PID value containing shell metacharacters. No authentication is required if the application exposes the ps.lookup function with user-controlled input, e.g., via a web API. The injected commands are executed with the privileges of the Node.js process. [2][3]

Impact

Successful exploitation leads to arbitrary command execution on the host system, potentially resulting in full compromise of the Node.js application and server. The attacker can execute arbitrary OS commands, read/write files, and pivot to other systems. [1][3]

Mitigation

Upgrade to version 1.0.0 or later. The fix was released in September 2018. No known workarounds; applications using user-controlled PID should sanitize input or avoid passing it to ps.lookup. [2][3]

References
  1. NVD - CVE-2018-16460
  2. security-wg/vuln/npm/470.json at main · nodejs/security-wg
  3. CVE-2018-16460 - GitHub Advisory Database

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
psnpm
< 1.0.01.0.0

Affected products

2
  • ghsa-coords
    pkg:npm/ps
    Range: < 1.0.0
  • https://github.com/UmbraEngineering/psv5
    Range: 1.0.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.