skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
June 17, 2020

GHSL-2020-119: command injection vulnerability in node-dns-sync resolve method - CVE-2020-11079

Kevin Backhouse


The resolve method of the node-dns-sync library had a command injection vulnerability. Clients of the node-dns-sync library are unlikely to be aware of this, so they might unwittingly write code that contains a command injection vulnerability. This issue was resolved in version 0.2.1.



Tested Version

Commit 93b8034

Details: Command injection in resolve

Node-dns-sync’s resolve method did not sufficiently sanitize user supplied input, which allowed for arbitrary shell command injection.

For example:

var dnsSync = require('dns-sync');
dnsSync.resolve('', " && touch exploit")

Would result in the touch exploit shell command being run on the system invoking the method.


This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input.


Coordinated Disclosure Timeline

This report was subject to the GHSL coordinated disclosure policy.


This vulnerability is similar to command injection vulnerabilities that have been found in other Javascript libraries. Here are some examples:

CVE-2020-7646, CVE-2020-7614, CVE-2020-7597, CVE-2019-10778, CVE-2019-10776, CVE-2018-16462, CVE-2018-16461, CVE-2018-16460, CVE-2018-13797, CVE-2018-3786, CVE-2018-3772, CVE-2018-3746, CVE-2017-16100, CVE-2017-16042.


This issue was discovered and reported by GitHub Engineer @erik-krogh (Erik Krogh Kristensen).


You can contact the GHSL team at, please include GHSL-2020-119 in any communication regarding this issue.