OS Command Injection in node-tool-utils via checkPortUsed Function #3
Description
Summary
A critical OS command injection vulnerability (CWE-78) exists in the node-tool-utils package prior to version 1.6.0. The checkPortUsed function fails to sanitize user-supplied input, allowing attackers to execute arbitrary system commands by crafting malicious port identifiers. This vulnerability enables remote code execution when the function is used with untrusted input.
Details
The vulnerability arises in the checkPortUsed function of the node-tool-utils package, which is designed to check if a port is in use. When processing user-provided port values, the function does not properly sanitize special characters or shell metacharacters (e.g., semicolons, pipes). This allows attackers to append arbitrary commands to the port input, which are then executed in the underlying operating system shell during port validation checks.
The issue affects all versions of node-tool-utils prior to 1.6.0. A patch was introduced in version 1.6.0 to address this flaw by implementing strict input validation and sanitization for the checkPortUsed function.
Impact
This vulnerability falls under CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'). Applications that use the checkPortUsed function to validate untrusted user input (e.g., in APIs, web forms, or network services) are at risk of remote code execution. Successful exploitation could lead to:
- Arbitrary command execution on the host system
- Data exfiltration or tampering
- Service disruption
- Full system compromise
Users are strongly advised to upgrade to node-tool-utils@1.6.0 or later to mitigate this risk. For more information, refer to the package documentation.#