Moderate severityOSV Advisory· Published Mar 31, 2021· Updated Sep 16, 2024
Arbitrary Command Injection
CVE-2021-23348
Description
This affects the package portprocesses before 1.0.5. If (attacker-controlled) user input is given to the killProcess function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
portprocessesnpm | < 1.0.5 | 1.0.5 |
Affected products
1- Range: v1.0.0, v1.0.1, v1.0.2, …
Patches
186811216c9b9Merge pull request from GHSA-vm67-7vmg-66vm
2 files changed · +16 −4
cli.js+3 −2 modified@@ -5,13 +5,14 @@ async function task() { const port = process.argv.pop(); const command = process.argv.pop(); + let result; switch (command) { case "kill": - const result = await main.killAllProcessesOnPort(port); + result = await main.killAllProcessesOnPort(port); console.log(result.filter(item => !item.success).map(item => `Failed to kill process ${item.pid}`).join('\n')); break; case "list": - const result = await main.listProcessesOnPort(port); + result = await main.listProcessesOnPort(port); console.log(result); break; default:
index.js+13 −2 modified@@ -1,7 +1,12 @@ const exec = require('./exec'); const listProcessesOnPort = module.exports.listProcessesOnPort = async port => { + const portNumber = parseInt(port, 10); + if (Number.isNaN(portNumber)) { + console.error("Must provide number for port."); + return; + } try { - const result = (await exec(`lsof -i :${port}`)).output.split('\n'); + const result = (await exec(`lsof -i :${portNumber}`)).output.split('\n'); const headers = result.shift().split(' ').filter(item => !!item.trim() && item.trim() !== "").map(item => item.toLowerCase()); return result.filter(item => !!item.trim() && item.trim() !== "").reduce((accumulator, currentValue) => { accumulator.push(currentValue.split(' ').filter(item => !!item.trim() && item.trim() !== "").reduce((accumulator, currentValue, index) => { @@ -19,8 +24,14 @@ const listProcessesOnPort = module.exports.listProcessesOnPort = async port => { } }; const killProcess = module.exports.killProcess = async pid => { + const pidNumber = parseInt(pid, 10); + if (Number.isNaN(pidNumber)) { + console.error("Must provide number for process identifier."); + return false; + } + try { - await exec(`kill ${pid}`); + await exec(`kill ${pidNumber}`); return true; } catch (e) { return false;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-vm67-7vmg-66vmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-23348ghsaADVISORY
- github.com/rrainn/PortProcesses/blob/fffceb09aff7180afbd0bd172e820404b33c8299/index.js%23L23ghsax_refsource_MISCWEB
- github.com/rrainn/PortProcesses/commit/86811216c9b97b01b5722f879f8c88a7aa4214e1ghsax_refsource_MISCWEB
- github.com/rrainn/PortProcesses/security/advisories/GHSA-vm67-7vmg-66vmghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-PORTPROCESSES-1078536ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.