command injection fix in node-dns-sync
Description
A command injection vulnerability in the node-dns-sync npm module through 0.2.0 allows arbitrary code execution via unsanitized input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A command injection vulnerability in the node-dns-sync npm module through 0.2.0 allows arbitrary code execution via unsanitized input.
Vulnerability
Summary
The node-dns-sync npm module (package name dns-sync) through version 0.2.0 contains a command injection vulnerability that enables execution of arbitrary commands [1][2]. The root cause is that the library invoked external scripts (e.g., shell scripts) without properly sanitizing user-supplied parameters, allowing an attacker to inject malicious shell commands through the hostname or type arguments of the resolve() method [3]. Prior to version 0.2.1, the code did not validate that the rrtype parameter matched a set of allowed DNS record types as defined by Node.js's dns.resolve() API [3].
Exploitation
Scenario
Exploitation requires that a client application passes untrusted input to the resolve() method of the library. The attacker does not need local access; the injection happens when the library constructs and executes a command line using the unsanitized input. The commit that fixes the vulnerability (cb10a5a) shows that previously the rrtype argument was not validated against a whitelist of acceptable values such as 'A', 'AAAA', 'MX', etc., enabling injection of special characters or shell metacharacters [3].
Impact
Successful exploitation can lead to remote code execution (RCE) under the context of the Node.js process that uses the vulnerable library [1]. An attacker could gain full control of the application server, steal sensitive data, or pivot to internal systems.
Mitigation
The vulnerability has been fixed in version 0.2.1 [1][2]. The fix introduces a whitelist RRecordTypes that restricts the type parameter to valid DNS record types [3]. All users should upgrade to dns-sync@0.2.1 or later. No known workarounds exist other than avoiding passing untrusted input to the vulnerable function.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dns-syncnpm | >= 0.1.3, < 0.2.1 | 0.2.1 |
Affected products
2- Range: < 0.2.1
Patches
1cb10a5ac7913allowing only valid rrtypes
6 files changed · +50 −7
CHANGELOG.md+17 −5 modified@@ -1,6 +1,18 @@ -####0.2.0 - - Updating dependencies +CHANGELOG +========== -####0.1.3 - - Added support for resolving AAAA and NS records - - Upgrading to latest shelljs dependency +0.2.1 +----- + +- Allowing only valid rrtypes as per https://nodejs.org/api/dns.html#dns_dns_resolve_hostname_rrtype_callback. + +0.2.0 +----- + +- Updating dependencies + +0.1.3 +----- + +- Added support for resolving AAAA and NS records +- Upgrading to latest shelljs dependency
lib/dns-sync.js+18 −0 modified@@ -8,6 +8,20 @@ var util = require('util'), //source - http://stackoverflow.com/questions/106179/regular-expression-to-match-dns-hostname-or-ip-address var ValidHostnameRegex = new RegExp("^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$"); +// https://nodejs.org/api/dns.html#dns_dns_resolve_hostname_rrtype_callback +var RRecordTypes = [ + 'A', + 'AAAA', + 'NS', + 'NAPTR', + 'CNAME', + 'SOA', + 'SRV', + 'PTR', + 'MX', + 'TXT', + 'ANY']; + function isValidHostName(hostname) { return ValidHostnameRegex.test(hostname); } @@ -26,6 +40,10 @@ module.exports = { console.error('Invalid hostname:', hostname); return null; } + if (typeof type !== 'undefined' && RRecordTypes.indexOf(type) === -1) { + console.error('Invalid rrtype:', type); + return null; + } var scriptPath = path.join(__dirname, "../scripts/dns-lookup-script"), response,
package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "dns-sync", - "version": "0.2.0", + "version": "0.2.1", "description": "dns-sync", "main": "index.js", "scripts": {
README.md+3 −1 modified@@ -5,7 +5,9 @@ node-dns-sync Sync/Blocking DNS resolve. Main usecase is in node server startup. -### How to Use +How to Use +------- + ```javascript var dnsSync = require('dns-sync');
test/test.js+9 −0 modified@@ -1,6 +1,7 @@ 'use strict'; var assert = require('assert'), + fs = require('fs'), dnsSync = require('../index'); describe('dns sync', function () { @@ -38,4 +39,12 @@ describe('dns sync', function () { assert.ok(ns.length >= 1); assert.ok(ns[0].match(/^ns[0-9]+\.google\.com$/)); }); + + it('should fail to resolve if invalid record is asked', function () { + var rs1 = dnsSync.resolve('www.google.com', 'Test'); + var rs2 = dnsSync.resolve('www.google.com', ' && touch test.txt'); + assert.ok(!rs1); + assert.ok(!rs2); + assert.ok(!fs.existsSync('test.txt')); + }); });
.travis.yml+2 −0 modified@@ -4,3 +4,5 @@ node_js: - "6" - "8" - "10" + - "12" + - "14"
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-wh69-wc6q-7888ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-11079ghsaADVISORY
- github.com/skoranga/node-dns-sync/commit/cb10a5ac7913eacc031ade7d91596277f31645dcghsax_refsource_MISCWEB
- github.com/skoranga/node-dns-sync/security/advisories/GHSA-wh69-wc6q-7888ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.