CVE-2021-45459

high-risk
Published 2021-12-22

lib/cmd.js in the node-windows package before 1.0.0-beta.6 for Node.js allows command injection via the PID parameter.

Do I need to act?

~
2.9% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (6)

Node-Windows
Node-Windows
Node-Windows
Node-Windows
Node-Windows
Node-Windows

Affected Vendors

Node-Windows Project

References (6)

Patch https://github.com/coreybutler/node-windows/compare/1.0.0-beta.5...1.0.0-beta.6
Exploit https://github.com/dwisiswant0/advisory/issues/4
Third Party Advisory https://security.netapp.com/advisory/ntap-20220107-0004/
Patch https://github.com/coreybutler/node-windows/compare/1.0.0-beta.5...1.0.0-beta.6
Exploit https://github.com/dwisiswant0/advisory/issues/4
Third Party Advisory https://security.netapp.com/advisory/ntap-20220107-0004/
51
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 6/34 · Minimal
Exposure 13/34 · Low