urlscan.io logo urlscan.io
SecurityTrails logo

security.snyk.io Open in urlscan Pro
2a02:26f0:6c00:291::ecd  Public Scan

Back to summary
Submitted URL: https://snyk.io/vuln/SNYK-JS-KILLBYPORT-1078531
Effective URL: https://security.snyk.io/vuln/SNYK-JS-KILLBYPORT-1078531
Submission: On June 29 via api from NL — Scanned from FR

Form analysis 2 forms found in the DOM

<form id="mktoForm_1461" style="display: none; font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); width: 1px;" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft">
  <style type="text/css">
    .mktoForm .mktoButtonWrap.mktoSimple .mktoButton {
      color: #fff;
      border: 1px solid #75ae4c;
      padding: 0.4em 1em;
      font-size: 1em;
      background-color: #99c47c;
      background-image: -webkit-gradient(linear, left top, left bottom, from(#99c47c), to(#75ae4c));
      background-image: -webkit-linear-gradient(top, #99c47c, #75ae4c);
      background-image: -moz-linear-gradient(top, #99c47c, #75ae4c);
      background-image: linear-gradient(to bottom, #99c47c, #75ae4c);
    }

    .mktoForm .mktoButtonWrap.mktoSimple .mktoButton:hover {
      border: 1px solid #447f19;
    }

    .mktoForm .mktoButtonWrap.mktoSimple .mktoButton:focus {
      outline: none;
      border: 1px solid #447f19;
    }

    .mktoForm .mktoButtonWrap.mktoSimple .mktoButton:active {
      background-color: #75ae4c;
      background-image: -webkit-gradient(linear, left top, left bottom, from(#75ae4c), to(#99c47c));
      background-image: -webkit-linear-gradient(top, #75ae4c, #99c47c);
      background-image: -moz-linear-gradient(top, #75ae4c, #99c47c);
      background-image: linear-gradient(to bottom, #75ae4c, #99c47c);
    }
  </style>
  <div class="mktoButtonRow"><span class="mktoButtonWrap mktoSimple" style="margin-left: 120px;"><button type="submit" class="mktoButton">Submit</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
    value="1461"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="677-THP-415">
</form>

<form style="display: none; font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;" novalidate="novalidate"
  class="mktoForm mktoHasWidth mktoLayoutLeft"></form>

Text Content

About Snyk
 1. Snyk Vulnerability Database
 2. npm
 3. kill-by-port




ARBITRARY COMMAND INJECTION AFFECTING KILL-BY-PORT OPEN THIS LINK IN A NEW TAB
PACKAGE, VERSIONS <0.0.2

--------------------------------------------------------------------------------

6.3
medium


 * EXPLOIT MATURITY
   
   
   
   Proof of concept
   
   


 * ATTACK COMPLEXITY
   
   
   
   Low
   
   

See more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components
are vulnerable in your application, and suggest you quick fixes.

Test your applications


 * SNYK-ID
   
   SNYK-JS-KILLBYPORT-1078531


 * PUBLISHED
   
   30 Mar 2021


 * DISCLOSED
   
   23 Feb 2021


 * CREDIT
   
   OmniTaint

Report a new vulnerability Found a mistake?

INTRODUCED: 23 FEB 2021

CVE-2021-23363 Open this link in a new tab

CWE-77 Open this link in a new tab

First added by Snyk
Share



HOW TO FIX?

Upgrade kill-by-port to version 0.0.2 or higher.


OVERVIEW

kill-by-port is a kills process by port

Affected versions of this package are vulnerable to Arbitrary Command Injection.
If (attacker-controlled) user input is given to the killByPort function, it is
possible for an attacker to execute arbitrary commands. This is due to use of
the child_process exec function without input sanitization.


POC (PROVIDED BY REPORTER):

var kill_by_port = require('kill-by-port');



kill_by_port.killByPort('$(touch success)');




A file called success will be created as a result of the execution of touch
success.


REFERENCES

 * GitHub Commit
 * Vulnerable Code


PRODUCT

 * Snyk Open Source
 * Snyk Code
 * Snyk Container
 * Snyk Infrastructure as Code
 * Test with Github
 * Test with CLI


RESOURCES

 * Vulnerability DB
 * Documentation
 * Disclosed Vulnerabilities
 * Blog
 * FAQs


COMPANY

 * About
 * Jobs
 * Contact
 * Policies
 * Do Not Sell My Personal Information


CONTACT US

 * Support
 * Report a new vuln
 * Press Kit
 * Events


FIND US ONLINE

 * 
 * 
 * 
 * 


TRACK OUR DEVELOPMENT

 * 
 * 



© 2022 Snyk Limited

Registered in England and Wales. Company number: 09677925

Registered address: Highlands House, Basingstoke Road, Spencers Wood, Reading,
Berkshire, RG7 1NT.


Submit