Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/53658?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/53658?format=api", "purl": "pkg:npm/pidusage@1.1.4", "type": "npm", "namespace": "", "name": "pidusage", "version": "1.1.4", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "1.1.5", "latest_non_vulnerable_version": "1.1.5", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43368?format=api", "vulnerability_id": "VCID-6zte-e3ar-gua9", "summary": "PIDUsage Enables OS Command Injection\n### Overview\nAffected versions of pidusage pass unsanitized input to `child_process.exec()`, resulting in arbitrary code execution in the `ps` method.\n\nThis package is vulnerable to this PoC on Darwin, SunOS, FreeBSD, and AIX.\n\nWindows and Linux are not vulnerable.\n\n### Proof of Concept\n```js\nvar pid = require('pidusage');\npid.stat('1 && /usr/local/bin/python');\n```\n\n### Remediation\nUpdate to version 1.1.5 or later.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2017-1000220", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.11815", "scoring_system": "epss", "scoring_elements": "0.93848", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-1000220" }, { "reference_url": "https://github.com/soyuka/pidusage", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/soyuka/pidusage" }, { "reference_url": "https://github.com/soyuka/pidusage/commit/b70eca15f7ca7f1b82a15f8a5d4bb48737f5a89d", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/soyuka/pidusage/commit/b70eca15f7ca7f1b82a15f8a5d4bb48737f5a89d" }, { "reference_url": "https://web.archive.org/web/20201208183910/https://www.npmjs.com/advisories/356", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://web.archive.org/web/20201208183910/https://www.npmjs.com/advisories/356" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000220", "reference_id": "CVE-2017-1000220", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000220" }, { "reference_url": "https://github.com/advisories/GHSA-h2p3-h48h-9jj7", "reference_id": "GHSA-h2p3-h48h-9jj7", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-h2p3-h48h-9jj7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/53659?format=api", "purl": "pkg:npm/pidusage@1.1.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/pidusage@1.1.5" } ], "aliases": [ "CVE-2017-1000220", "GHSA-h2p3-h48h-9jj7" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6zte-e3ar-gua9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/53014?format=api", "vulnerability_id": "VCID-ba2z-xjzy-xbep", "summary": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in pidusage.", "references": [ { "reference_url": "https://www.npmjs.com/advisories/356", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.npmjs.com/advisories/356" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16034", "reference_id": "CVE-2017-16034", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16034" }, { "reference_url": "https://github.com/advisories/GHSA-hfq9-rfpv-j8r8", "reference_id": "GHSA-hfq9-rfpv-j8r8", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hfq9-rfpv-j8r8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/53659?format=api", "purl": "pkg:npm/pidusage@1.1.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/pidusage@1.1.5" } ], "aliases": [ "CVE-2017-16034", "GHSA-hfq9-rfpv-j8r8", "GMS-2020-757" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ba2z-xjzy-xbep" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38642?format=api", "vulnerability_id": "VCID-zqxw-jzqq-akfw", "summary": "Command Injection\nThe pidusage module passes unsanitized input to child_process.exec, resulting in command injection in the ps method, as the pid is never cast to an integer as the comment expects. This module is vulnerable to this PoC on Darwin, SunOS, FreeBSD, and AIX. Windows and Linux are not vulnerable.", "references": [], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/53659?format=api", "purl": "pkg:npm/pidusage@1.1.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/pidusage@1.1.5" } ], "aliases": [ "GMS-2017-137" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zqxw-jzqq-akfw" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/pidusage@1.1.4" }