search

Unitech / pm2

Node.js Production Process Manager with a built-in Load Balancer.
https://pm2.keymetrics.io/docs/usage/quick-start/
Other
41.33k stars 2.61k forks source link

Command Injection #4491

Open dfritsch86 opened 4 years ago

dfritsch86 commented 4 years ago

A command injection issue was openly disclosed on hackerone: https://hackerone.com/reports/633364

Has this already been fixed on newly released versions of pm2?

alexlemaire commented 4 years ago

Following up on that as I've just got 2 security warning popping up when installing pm2 as dependency. This seems to have been disclosed by the same person.

See here and there

stale[bot] commented 4 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

dfritsch86 commented 4 years ago

It is a pity to see that security seems to be prioritized so low...

stale[bot] commented 4 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

alexlemaire commented 4 years ago

As of now, the vulnerability hasn't been patched yet. Any updates on this?

stale[bot] commented 4 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

fridan commented 4 years ago

Any news regarding this issue?