CRITICALCVE-2017-16042CVSS 9.8

CVE-2017-16042: Command Injection in growl Node.js Module

Platform

nodejs

Component

growl

Fixed in

1.10.0

AI Confidence: highNVDEPSS 0.3%Reviewed: May 2026

View on NVD

Save

CVE-2017-16042 describes a Command Injection vulnerability present in the growl Node.js module. This flaw allows attackers to execute arbitrary commands on the system due to insufficient input sanitization. The vulnerability impacts versions of growl before 1.10.0, and a patch is available in version 1.10.0 and later.

Impact and Attack Scenarios

The impact of this vulnerability is severe. An attacker who can exploit CVE-2017-16042 can gain complete control over the affected system. This could involve executing malicious code, stealing sensitive data, installing malware, or pivoting to other systems on the network. The ability to inject arbitrary commands bypasses standard security controls and allows for a wide range of malicious activities. Given the module's potential use in notification systems, an attacker could potentially leverage this to gain access to critical infrastructure or sensitive user data.

Exploitation Context

CVE-2017-16042 was publicly disclosed on June 8, 2018. While no active exploitation campaigns have been definitively linked to this specific vulnerability, the ease of exploitation and the potential for significant impact make it a persistent risk. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are available, demonstrating the ease with which an attacker can execute arbitrary commands.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.35% (57% percentile)

CVSS Vector

Affected Software

Componentgrowl

Vendorosv

Affected rangeFixed in

—1.10.0

Timeline

Published2018-06-08
Modified2023-11-08
EPSS updated2026-04-02

Patched -329 days after disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2017-16042 is to upgrade the growl Node.js module to version 1.10.0 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing input validation and sanitization on any user-supplied data passed to the growl module. While a direct WAF rule is unlikely, implementing strict input validation within your application logic can help prevent command injection attempts. After upgrading, confirm the fix by attempting to trigger the vulnerable functionality with malicious input and verifying that the command is not executed.

How to fix

No official patch available. Check for workarounds or monitor for updates.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2017-16042 — Command Injection in growl Node.js Module?

CVE-2017-16042 is a critical vulnerability in the growl Node.js module that allows attackers to execute arbitrary commands due to insufficient input sanitization.

Am I affected by CVE-2017-16042 in growl Node.js Module?

You are affected if you are using a version of the growl Node.js module prior to 1.10.0. Check your installed version using npm list growl.

How do I fix CVE-2017-16042 in growl Node.js Module?

Upgrade the growl Node.js module to version 1.10.0 or later using npm install growl@latest.

Is CVE-2017-16042 being actively exploited?

While no active campaigns have been definitively linked, the vulnerability's ease of exploitation makes it a persistent risk.

Where can I find the official growl advisory for CVE-2017-16042?

Refer to the npm advisory for CVE-2017-16042: https://www.npmjs.com/advisories/791