OS Command Injection in zacanger/is-program-installed


Reported on

Sep 12th 2021

✍️ Description

There is "OS Command Injection" vulnerability on "is-program-installed" npm package. This package tries to understand the given parameter name (program or binary name) is installed in the computer or not. However, since this package does not properly control the characters in the program name taken as input, it is possible to run commands on the operating system.

🕵️‍♂️ Proof of Concept

// PoC.js
const isInstalled = require('is-program-installed')
console.log(isInstalled('powershell.exe && whoami > result.txt'));
// After running this program, "result.txt" file will be created with the "whoami" command's output in it.

💥 Impact

Attacker can run the command on the machine.

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 years ago
We have contacted a member of the zacanger/is-program-installed team and are waiting to hear back 2 years ago
We have sent a second follow up to the zacanger/is-program-installed team. We will try again in 10 days. 2 years ago
We have sent a third and final follow up to the zacanger/is-program-installed team. This report is now considered stale. 2 years ago
2 years ago


Any update, It has been 3 months?

Jamie Slome
a year ago


The maintainer just responded on the GitHub Issue. I am sending them the report URL now :)

a year ago


Thanks for the report, sorry it took forever to take a look at. Fixed in 2.3.4: https://github.com/zacanger/is-program-installed/blob/v2.3.4/index.js#L76=

zacanger validated this vulnerability a year ago
oivrip has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
zacanger marked this as fixed in 2.3.4 with commit d96b35 a year ago
zacanger has been awarded the fix bounty
This vulnerability will not receive a CVE
zacanger gave praise a year ago
Thanks for the report!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
a year ago


Thanks for the fix : )

to join this conversation