Arbitrary Command Injection
Description
All versions of the npm 'killing' package allow arbitrary command execution due to unsanitized input passed to child_process.exec().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
All versions of the npm 'killing' package allow arbitrary command execution due to unsanitized input passed to child_process.exec().
Vulnerability
The killing npm package (all versions) is vulnerable to arbitrary command injection. The package's main functionality uses child_process.exec without sanitizing user-supplied input. As described in the official CVE description and the Snyk advisory [1][3], any call to the killing function with attacker-controlled input will result in the input being interpreted as part of a shell command. The vulnerable code path is reachable whenever the module is used with external data, such as command-line arguments, query parameters, or other user-controlled strings. The package repository is hosted under the xudafeng/killing project on GitHub [2].
Exploitation
An attacker needs only the ability to provide a string argument to the killing() function. No authentication or special privileges are required, as the module does not enforce any access controls. The proof-of-concept provided by the Snyk advisory [3] demonstrates that calling killing('$(touch success)') will execute the shell command touch success as a side effect, creating a file named success. Any command can be injected using similar shell metacharacters ($(), backticks, semicolons, etc.). No race window or user interaction beyond the initial function call is required.
Impact
Successful exploitation allows an attacker to execute arbitrary shell commands on the system where the killing package is used. This can lead to full compromise of the Node.js process, including data exfiltration, file manipulation, installation of malware, or lateral movement within the network. The impact is rated as high (CVSS 3.1 base score not disclosed by NVD, but Snyk scores indicate critical severity) [3].
Mitigation
As of the publication date (2021-04-18) and per the Snyk advisory [3], there is no fixed version of the killing package. The repository on GitHub appears abandoned, with no evidence of a patch [2]. Users must stop using the killing package entirely and migrate to an alternative library that sanitizes input or uses child_process.spawn with argument arrays. If immediate removal is not possible, any user-supplied input must be rigorously validated against a whitelist of allowed keywords or escaped before being passed to killing(). The package is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the given references. [1][3]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
killingnpm | <= 1.0.6 | — |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-cq77-8jpx-892gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-23381ghsaADVISORY
- github.com/xudafeng/killing/blob/672ed164ccdd10c0a8fb93c5c6d2456f1dfab781/lib/killing.js%23L62ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-KILLING-1078532ghsax_refsource_MISCWEB
- www.npmjs.com/package/killingghsaWEB
News mentions
0No linked articles in our index yet.