Skip to content

Command Injection in dns-sync

Critical severity GitHub Reviewed Published Jul 18, 2018 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

npm dns-sync (npm)

Affected versions

< 0.1.1

Patched versions

0.1.1

Description

Affected versions of dns-sync have an arbitrary command execution vulnerability in the resolve() method.

Recommendation

  • Use an alternative dns resolver
  • Do not allow untrusted input into dns-sync.resolve()

References

Published to the GitHub Advisory Database Jul 18, 2018
Reviewed Jun 16, 2020
Last updated Jan 9, 2023

Severity

Critical

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(86th percentile)

Weaknesses

CVE ID

CVE-2017-16100

GHSA ID

GHSA-jcw8-r9xm-32c6

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.