Request a Demo
Rewterz
Rewterz Threat Alert – XCSSET Mac Malware adapts to target macOS 11 and M1-based Macs – IOCs
April 20, 2021
Rewterz
Rewterz Threat Advisory – CVE-2021-29461 – Discord-Recon Local File Include Vulnerability
April 21, 2021

Rewterz Threat Advisory – Multiple Node.js Vulnerabilities

Severity

High

Analysis Summary

CVE-2021-23374

Node.js ps-visitor module allows a remote attacker to execute arbitrary commands on the system. The vulnerability is caused by the use of the child_process exec function without input validation. An attacker can exploit this vulnerability by sending a specially crafted request to execute arbitrary commands on the system.

CVE-2021-23375

Node.js psnode module allows a remote attacker to execute arbitrary commands on the system. The vulnerability is caused by the use of the child_process exec function without input validation. An attacker can exploit this vulnerability by sending a specially crafted request to execute arbitrary commands on the system.

CVE-2021-23376

Node.js ffmpegdotjs module allows a remote attacker to execute arbitrary commands on the system. The vulnerability is caused by the use of the child_process exec function without input validation. An attacker can exploit this vulnerability by sending a specially crafted request to execute arbitrary commands on the system.

CVE-2021-23377

Node.js onion-oled-js module allows a remote attacker to execute arbitrary commands on the system. The vulnerability is caused by the use of the child_process exec function without input validation. An attacker can exploit this vulnerability by sending a specially crafted request to execute arbitrary commands on the system.

CVE-2021-23378

Node.js picotts module allows a remote attacker to execute arbitrary commands on the system. The vulnerability is caused by the use of the child_process exec function without input validation. An attacker can exploit this vulnerability by sending a specially crafted request to execute arbitrary commands on the system.

CVE-2021-23379

Node.js portkiller module allows a remote attacker to execute arbitrary commands on the system. The vulnerability is caused by the use of the child_process exec function without input validation. An attacker can exploit this vulnerability by sending a specially crafted request to execute arbitrary commands on the system.

CVE-2021-23380

Node.js roar-pidusage module allows a remote attacker to execute arbitrary commands on the system. The vulnerability is caused by the use of the child_process exec function without input validation. An attacker can exploit this vulnerability by sending a specially crafted request to execute arbitrary commands on the system.

CVE-2021-23381

Node.js killing module allows a remote attacker to execute arbitrary commands on the system. The vulnerability is caused by the use of the child_process exec function without input validation. An attacker can exploit this vulnerability by sending a specially crafted request to execute arbitrary commands on the system.

Impact

Unauthorized Access

Affected Vendors

NodeJS

Affected Products

  • Node.js ps-visitor 0.0.1
  • Node.js ps-visitor 0.0.2
  • Node.js psnode 0.0.1
  • Node.js ffmpegdotjs 0.0.2
  • Node.js ffmpegdotjs 0.0.3
  • Node.js ffmpegdotjs 0.0.4
  • Node.js onion-oled-js 0.0.1
  • Node.js onion-oled-js 0.0.2
  • Node.js picotts 0.1.0
  • Node.js picotts 0.1.1
  • Node.js portkiller 1.0.0 all versions
  • Node.js roar-pidusage 1.1.4 all versions
  • Node.js killing 0.0.1 all versions

Remediation

Node.js is yet to release a patch for the affected products. For more updates, visit https://docs.npmjs.com/searching-for-and-choosing-packages-to-download