node-dns-sync (npm module dns-sync) through 0.2.0 allows execution of arbitrary commands . This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This has been fixed in 0.2.1.
If untrusted user input is allowed into the resolve() method then command injection is possible.
If untrusted user input is allowed into the resolve() method then command injection is possible.
The dns-sync library for node.js allows resolving hostnames in a synchronous fashion. dns-sync is vulnerable to arbitrary command execution via maliciously formed hostnames. This is caused by the hostname being passed through a shell as part of a command execution.