CRITICALCVE-2017-16100CVSS 9.5

CVE-2017-16100: Command Injection in dns-sync

Platform

nodejs

Component

dns-sync

Fixed in

0.1.1

AI Confidence: highNVDEPSS 5.3%Reviewed: May 2026

View on NVD

Save

CVE-2017-16100 describes a critical Command Injection vulnerability affecting the dns-sync package. This flaw allows attackers to execute arbitrary commands on the system by manipulating input to the resolve() method. Versions of dns-sync prior to 0.1.1 are vulnerable. A fix is available in version 0.1.1.

Impact and Attack Scenarios

The dns-sync package is a DNS resolver for Node.js. This vulnerability allows an attacker to inject arbitrary commands into the system's shell. Successful exploitation could lead to complete system compromise, including data theft, malware installation, and denial of service. The impact is particularly severe if dns-sync is used in a production environment or handles sensitive data. The ability to execute commands directly on the server represents a significant security risk, potentially enabling attackers to gain persistent access and control.

Exploitation Context

This vulnerability was publicly disclosed in July 2018. While no active exploitation campaigns have been definitively linked to CVE-2017-16100, the ease of exploitation and the critical severity make it a potential target. Public proof-of-concept exploits are available, increasing the risk of opportunistic attacks. The vulnerability is not currently listed on CISA KEV.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

EPSS

5.34% (90% percentile)

Affected Software

Componentdns-sync

Vendorosv

Affected rangeFixed in

—0.1.1

Timeline

Published2018-07-18
Modified2023-11-08
EPSS updated2026-04-02

Mitigation and Workarounds

The primary mitigation for CVE-2017-16100 is to upgrade to version 0.1.1 or later of dns-sync. If upgrading is not immediately feasible, consider using an alternative DNS resolver to avoid relying on the vulnerable dns-sync package. Input validation on the dns-sync.resolve() method is crucial to prevent command injection. Carefully review and sanitize any user-supplied data before passing it to this function. Consider implementing a Web Application Firewall (WAF) to filter potentially malicious requests.

How to fix

No official patch available. Check for workarounds or monitor for updates.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2017-16100 — Command Injection in dns-sync?

CVE-2017-16100 is a critical vulnerability in the dns-sync Node.js package that allows attackers to execute arbitrary commands on the system through the resolve() method.

Am I affected by CVE-2017-16100 in dns-sync?

You are affected if you are using a version of dns-sync prior to 0.1.1 and are not properly sanitizing input to the resolve() method.

How do I fix CVE-2017-16100 in dns-sync?

Upgrade to version 0.1.1 or later of dns-sync. Alternatively, use a different DNS resolver.

Is CVE-2017-16100 being actively exploited?

While no confirmed active exploitation campaigns are publicly known, the vulnerability's severity and ease of exploitation make it a potential target.

Where can I find the official dns-sync advisory for CVE-2017-16100?

Refer to the original vulnerability report and related security advisories for details: [https://nvd.nist.gov/vuln/detail/CVE-2017-16100](https://nvd.nist.gov/vuln/detail/CVE-2017-16100)