Skip to content

Command Injection in dns-sync

Critical severity GitHub Reviewed Published Jul 18, 2018 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

npm dns-sync (npm)

Affected versions

< 0.1.1

Patched versions

0.1.1

Description

Affected versions of dns-sync have an arbitrary command execution vulnerability in the resolve() method.

Recommendation

  • Use an alternative dns resolver
  • Do not allow untrusted input into dns-sync.resolve()

References

Published to the GitHub Advisory Database Jul 18, 2018
Reviewed Jun 16, 2020
Last updated Jan 9, 2023

Severity

Critical

EPSS score

0.843%
(83rd percentile)

Weaknesses

CVE ID

CVE-2017-16100

GHSA ID

GHSA-jcw8-r9xm-32c6

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.