CVE-2019-10783
Description
All versions of the lsof npm module up to 0.0.4 are vulnerable to command injection via user input passed to the exec function.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
All versions of the lsof npm module up to 0.0.4 are vulnerable to command injection via user input passed to the exec function.
Vulnerability
Description
The lsof npm module (versions including 0.0.4) suffers from a command injection vulnerability. The package's exported methods use the exec function to parse user-supplied input without proper sanitization, allowing attackers to inject arbitrary shell commands [1][2].
Exploitation
An attacker can exploit this by providing crafted input, such as & echo vulnerable > create.txt &, to any exported function like rawTcpPort. The exec function interprets the input as part of a shell command, resulting in execution of the injected commands [2]. No authentication or special privileges are required; any application using this module with untrusted input is exposed.
Impact
Successful exploitation allows an attacker to execute arbitrary commands on the system where the vulnerable module is used. This can lead to data exfiltration, system compromise, or further lateral movement within the environment.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
lsofnpm | <= 0.0.4 | — |
Affected products
2- lsof/lsof npm moduledescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-whq6-mj2r-mjqcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10783ghsaADVISORY
- snyk.io/vuln/SNYK-JS-LSOF-543632ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.