CVE-2018-21268
Description
A command injection vulnerability in node-traceroute allows remote attackers to execute arbitrary OS commands via the host parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A command injection vulnerability in node-traceroute allows remote attackers to execute arbitrary OS commands via the host parameter.
Vulnerability
The node-traceroute package through version 1.0.0 for Node.js contains a remote command injection flaw. The package uses Child.exec() to execute the system traceroute command, concatenating the user-supplied host parameter directly into the command string without sanitization. By inserting a newline character followed by an arbitrary OS command, an attacker can break out of the intended command and execute arbitrary commands on the underlying operating system [1].
Exploitation
Exploitation requires control over the host parameter passed to the traceroute function. The package does not validate or escape the input, so any application that uses this module and accepts user input for the host can be abused. The attack does not require authentication if the function is exposed via a network service, making it possible for remote attackers to inject commands simply by providing a malicious host string [2].
Impact
Successful exploitation allows an attacker to execute arbitrary OS commands with the privileges of the Node.js process. This can lead to full server compromise, data exfiltration, or further lateral movement within the network. Given that the vulnerability is in a network diagnostic tool, it is commonly used in server-side applications, amplifying the potential impact [1][2].
Mitigation
The vulnerability has been patched by switching from Child.exec() to Child.spawn(), which avoids shell interpretation. The fix is implemented in commit b99ee024a01a40d3d20a92ad3769cc78a3f6386f [4]. Users should upgrade to a version that includes this fix or apply the change manually. As of June 2020, no official patched release was available, but users can rely on the commit or consider using alternative packages [1][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
traceroutenpm | <= 1.0.0 | — |
Affected products
2- node-traceroute/node-traceroutedescription
Patches
1b99ee024a01aconversion to spawn and stream
2 files changed · +28 −35
package.json+1 −2 modified@@ -10,10 +10,9 @@ "engines": { "node": ">=4.0.0" }, - "dependencies": {}, "devDependencies": { "code": "2.x.x", - "lab": "9.x.x" + "lab": "10.x.x" }, "bugs": { "url": "https://github.com/jaw187/node-traceroute/issues"
traceroute.js+27 −33 modified@@ -18,23 +18,43 @@ module.exports = internals.Traceroute = {}; internals.Traceroute.trace = function (host, callback) { - Dns.lookup(host.toUpperCase(), (err) => { if (err && Net.isIP(host) === 0) { return callback(new Error('Invalid host')); } - const command = (internals.isWin ? 'tracert -d ' : 'traceroute -q 1 -n ') + host; - Child.exec(command, (err, stdout, stderr) => { + const command = (internals.isWin ? 'tracert' : 'traceroute'); + const args = internals.isWin ? ['-d', host] : ['-q', 1, '-n', host]; + + const traceroute = Child.spawn(command, args); + + const hops = []; + let counter = 0; + traceroute.stdout.on('data', (data) => { - if (err) { - return callback(err); + ++counter; + if ((!internals.isWin && counter < 2) || (internals.isWin && counter < 5)) { + return null; } - const results = internals.parseOutput(stdout); - return callback(null, results); + const result = data.toString().replace(/\n$/,''); + if (!result) { + return null; + } + + const hop = internals.parseHop(result); + hops.push(hop); }); + + traceroute.on('close', (code) => { + + if (callback) { + return callback(null, hops); + } + }); + + return traceroute; }); }; @@ -96,29 +116,3 @@ internals.parseHopNix = function (line) { return hop; }; - -internals.parseOutput = function (output) { - - const lines = output.split('\n'); - const hops = []; - - lines.shift(); - lines.pop(); - - if (internals.isWin) { - for (let i = 0; i < lines.length; ++i) { - if (/^\s+1/.test(lines[i])) { - break; - } - } - lines.splice(0,i); - lines.pop(); - lines.pop(); - } - - for (let i = 0; i < lines.length; ++i) { - hops.push(internals.parseHop(lines[i])); - } - - return hops; -};
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
12- github.com/advisories/GHSA-8j9v-qhp4-wv55ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-21268ghsaADVISORY
- github.com/jaw187/node-traceroute/commit/b99ee024a01a40d3d20a92ad3769cc78a3f6386fghsax_refsource_MISCWEB
- github.com/jaw187/node-traceroute/tagsghsax_refsource_MISCWEB
- medium.com/%40shay_62828/shell-command-injection-through-traceroute-npm-package-a4cf7b6553e3mitrex_refsource_MISC
- medium.com/@shay_62828/shell-command-injection-through-traceroute-npm-package-a4cf7b6553e3ghsaWEB
- snyk.io/vuln/npm:traceroute:20160311ghsax_refsource_MISCWEB
- www.linkedin.com/posts/op-innovate_shell-command-injection-through-traceroute-activity-6678956453086191616-Rcpyghsax_refsource_MISCWEB
- www.npmjs.com/advisories/1465ghsax_refsource_MISCWEB
- www.npmjs.com/package/traceroutemitrex_refsource_MISC
- www.op-c.net/2020/06/17/shell-command-injection-through-traceroute-npm-packageghsaWEB
- www.op-c.net/2020/06/17/shell-command-injection-through-traceroute-npm-package/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.