CVE-2014-9682: dns-sync Command Injection

February 27, 2015 (updated March 2, 2015)

The dns-sync library for node.js allows resolving hostnames in a synchronous fashion. dns-sync is vulnerable to arbitrary command execution via maliciously formed hostnames. This is caused by the hostname being passed through a shell as part of a command execution.

References

github.com/skoranga/node-dns-sync/commit/d9abaae384b198db1095735ad9c1c73d7b890a0d
github.com/skoranga/node-dns-sync/issues/1

Detect and mitigate CVE-2014-9682 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →