Command Injection
Description
Command injection in node-ps package (all versions) via unsanitized psargs parameter allows arbitrary system command execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Command injection in node-ps package (all versions) via unsanitized psargs parameter allows arbitrary system command execution.
What the vulnerability is
The Node.js package node-ps is vulnerable to Command Injection in all versions. The injection point is located at line 72 in lib/index.js, where the psargs parameter passed to the lookup() function is not properly sanitized before being used in a system command invocation [1][2].
Exploitation
An attacker can exploit this vulnerability by supplying a crafted psargs array containing shell metacharacters. For example, a proof of concept demonstrates that passing ["& touch JHU #"] leads to arbitrary command execution. No authentication or special privileges beyond the ability to call the lookup() function are required; the attack surface is any application that passes user-controlled input to node-ps's psargs option [3].
Impact
Successful exploitation allows an attacker to execute arbitrary commands on the host system with the privileges of the Node.js process. This could lead to full system compromise, data exfiltration, or lateral movement within the network.
Mitigation
As of the publication date, there is no fixed version available for node-ps. The advisory recommends avoiding the use of the package if user input is passed to psargs, or implementing strict input validation to disallow shell metacharacters [3]. The vulnerability has not yet been listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
node-psnpm | <= 0.0.2 | — |
Affected products
2- node-ps/node-psdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-4rv9-5vc4-88cgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-7785ghsaADVISORY
- github.com/fortruce/node-ps/blob/master/lib/index.jsghsaWEB
- github.com/fortruce/node-ps/blob/master/lib/index.js%23L72mitrex_refsource_MISC
- snyk.io/vuln/SNYK-JS-NODEPS-1048335ghsax_refsource_MISCWEB
- www.npmjs.com/package/node-psghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.