CVE-2019-15609

Vulnerability

Details The kill-port-process package, versions prior to 2.2.0, is vulnerable to a command injection flaw. The root cause lies in the package's failure to properly sanitize user-controlled input before passing it to shell commands used to terminate processes on a given port. This allows an attacker to inject arbitrary operating system commands.

Exploitation

An attacker can exploit this vulnerability by providing a specially crafted port number or other input that includes shell metacharacters. The attack does not require authentication if the application using the package exposes the functionality to untrusted users. Successful injection leads to execution of arbitrary commands with the privileges of the Node.js process.

Impact

If exploited, an attacker can execute arbitrary commands on the server or system running the vulnerable package. This could result in full system compromise, data exfiltration, or further lateral movement within the network.

Mitigation

The vulnerability is fixed in version 2.2.0 and later. Users should update the package immediately. There is no workaround if the package is used with unfiltered user input. The issue was reported via HackerOne [1] and subsequently patched.