CVE-2021-23381 – CVE-2021-23381 is a command injection vulnerabi... (How to Fix)

Q: What is the severity of CVE-2021-23381?

CVE-2021-23381 has a CVSS score of 7.3 (HIGH). CVE-2021-23381 is a command injection vulnerability in the 'killing' npm package that allows attackers to execute arbitrary commands on affected systems. This occurs when attacker-controlled input reaches the vulnerable child_process.exec function without proper sanitization. All versions of the killing package are affected.

📋 TL;DR

CVE-2021-23381 is a command injection vulnerability in the 'killing' npm package that allows attackers to execute arbitrary commands on affected systems. This occurs when attacker-controlled input reaches the vulnerable child_process.exec function without proper sanitization. All versions of the killing package are affected.

💻 Affected Systems

Products:

killing npm package

Versions: All versions

Operating Systems: All operating systems running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using the killing package with user-controlled input is vulnerable.

📦 What is this software?

Killing by Killing Project

View all CVEs affecting Killing →

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining remote code execution, data exfiltration, and lateral movement capabilities.

🟠

Likely Case

Arbitrary command execution leading to data theft, service disruption, or installation of malware.

🟢

If Mitigated

Limited impact with proper input validation and security controls preventing malicious input from reaching vulnerable function.

🌐 Internet-Facing: HIGH - Web applications using this package could allow remote attackers to execute commands.

🏢 Internal Only: MEDIUM - Internal applications could still be exploited by authenticated users or through other attack vectors.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward as it requires only passing malicious input to the vulnerable function.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: https://github.com/xudafeng/killing/security/advisories

Restart Required: No

Instructions:

1. Remove the killing package from your project. 2. Use alternative packages or implement functionality securely. 3. Update package.json and lock files.

🔧 Temporary Workarounds

Input Sanitization Wrapper

all

Implement strict input validation and sanitization before passing data to killing functions

// Example: Validate and sanitize user input before use
const sanitizedInput = userInput.replace(/[^a-zA-Z0-9]/g, '');

Network Isolation

linux

Isolate affected applications from sensitive systems and the internet

# Use firewall rules to restrict network access
iptables -A INPUT -p tcp --dport [APP_PORT] -j DROP

🧯 If You Can't Patch

Implement strict input validation and sanitization for all user-controlled data
Deploy network segmentation and restrict application access to minimum required resources

🔍 How to Verify

Check if Vulnerable:

Check package.json or package-lock.json for 'killing' dependency. Run: npm list killing

Check Version:

npm list killing | grep killing

Verify Fix Applied:

Confirm killing package is removed from dependencies and no longer appears in npm list

📡 Detection & Monitoring

Log Indicators:

Unusual child process executions
Suspicious command-line arguments in process logs
Error logs showing command execution failures

Network Indicators:

Unexpected outbound connections from Node.js processes
Command and control traffic patterns

SIEM Query:

process.name:node AND (process.args:*cmd* OR process.args:*sh* OR process.args:*bash*) AND process.parent.name:node

📊 Metadata

CVE ID: CVE-2021-23381

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-78

Published: April 18, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/xudafeng/killing/blob/672ed164ccdd10c0a8fb93c5c6d2456f1dfab781/lib/killing.js%23L62 Broken Link
https://snyk.io/vuln/SNYK-JS-KILLING-1078532 Exploit,Third Party Advisory
https://github.com/xudafeng/killing/blob/672ed164ccdd10c0a8fb93c5c6d2456f1dfab781/lib/killing.js%23L62 Broken Link
https://snyk.io/vuln/SNYK-JS-KILLING-1078532 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-23381, you might also want to check these: