Description
The traceroute (aka node-traceroute) package through 1.0.0 for Node.js allows remote command injection via the host parameter. This occurs because the Child.exec() method, which is considered to be not entirely safe, is used. In particular, an OS command can be placed after a newline character.
Remediation
References
https://github.com/jaw187/node-traceroute/commit/b99ee024a01a40d3d20a92ad3769cc78a3f6386f
https://github.com/jaw187/node-traceroute/tags
https://medium.com/%40shay_62828/shell-command-injection-through-traceroute-npm-package-a4cf7b6553e3
https://snyk.io/vuln/npm:traceroute:20160311
https://www.linkedin.com/posts/op-innovate_shell-command-injection-through-traceroute-activity-6678956453086191616-Rcpy
https://www.npmjs.com/advisories/1465
https://www.npmjs.com/package/traceroute
https://www.op-c.net/2020/06/17/shell-command-injection-through-traceroute-npm-package/
Related Vulnerabilities
CVE-2020-13957 Vulnerability in maven package org.apache.solr:solr-solrj
CVE-2023-3308 Vulnerability in maven package com.whaleal.icefrog:icefrog-all
CVE-2022-24429 Vulnerability in npm package convert-svg-core
CVE-2017-16016 Vulnerability in npm package sanitize-html
CVE-2018-15531 Vulnerability in maven package net.bull.javamelody:javamelody-core