CVE-2021-23359
📋 TL;DR
CVE-2021-23359 is a command injection vulnerability in the port-killer npm package that allows attackers to execute arbitrary commands on the system. This affects all versions of port-killer where user input is passed to the vulnerable function. Any application using this package with untrusted input is vulnerable to remote code execution.
💻 Affected Systems
- port-killer npm package
📦 What is this software?
Port Killer by Port Killer Project
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attacker to execute any command with the privileges of the running process, potentially leading to data theft, ransomware deployment, or complete system takeover.
Likely Case
Arbitrary command execution leading to file creation/modification, data exfiltration, or installation of backdoors/malware.
If Mitigated
No impact if input validation/sanitization is implemented or if the package is not used with untrusted input.
🎯 Exploit Status
Proof of concept demonstrates command injection via user input. Exploitation is straightforward with minimal technical barriers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: N/A
Vendor Advisory: https://github.com/tylerjpeterson/port-killer/security/advisories
Restart Required: No
Instructions:
1. Remove port-killer package from your project. 2. Use alternative packages like kill-port or implement port killing functionality securely. 3. Update package.json and run npm install.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation to ensure only expected values are passed to port-killer functions
// Example: Validate input is numeric only
const port = req.body.port;
if (!/^\d+$/.test(port)) {
throw new Error('Invalid port number');
}
Replace with Safe Alternative
allReplace port-killer with a secure alternative package that doesn't use exec() with user input
npm uninstall port-killer
npm install kill-port
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all user inputs passed to port-killer
- Run the application with minimal privileges and in a sandboxed/containerized environment
🔍 How to Verify
Check if Vulnerable:
Check package.json or package-lock.json for port-killer dependency. Run: npm list port-killerCheck Version:
npm list port-killerVerify Fix Applied:
Verify port-killer is no longer in package.json and npm list shows no port-killer installation📡 Detection & Monitoring
Log Indicators:
- Unusual process execution from Node.js applications
- File creation/modification by Node.js processes
- Error logs showing command execution failures
Network Indicators:
- Unexpected outbound connections from Node.js applications
- Command and control traffic patterns
SIEM Query:
process.name:"node" AND (process.cmdline:*exec* OR process.cmdline:*child_process*)🔗 References
- https://github.com/tylerjpeterson/port-killer/blob/1ca3a99ad80cc9ed5498d12b185189c10329025b/index.js%23L19
- https://snyk.io/vuln/SNYK-JS-PORTKILLER-1078533
- https://github.com/tylerjpeterson/port-killer/blob/1ca3a99ad80cc9ed5498d12b185189c10329025b/index.js%23L19
- https://snyk.io/vuln/SNYK-JS-PORTKILLER-1078533
