CRITICALCVE-2018-3772CVSS 9.8

CVE-2018-3772: Command Injection in NodeJS whereis

Q: How do I fix CVE-2018-3772 in NodeJS whereis?

Upgrade to version 0.4.1 or later of the `whereis` package. Implement input validation as a temporary workaround if upgrading is not immediately possible.

Platform

nodejs

Component

whereis

Fixed in

0.4.1

AI Confidence: highNVDEPSS 0.6%Reviewed: May 2026

View on NVD

Save

CVE-2018-3772 describes a command injection vulnerability affecting versions of whereis prior to 0.4.1 within NodeJS environments. This flaw allows attackers to execute arbitrary commands on the system if untrusted user input is passed to the whereis utility. The vulnerability was published on July 31, 2018, and a fix is available in version 0.4.1.

Impact and Attack Scenarios

The impact of this command injection vulnerability is severe. An attacker who can inject commands can gain complete control over the NodeJS process and potentially the underlying system. This could lead to data breaches, system compromise, and denial of service. The attacker could read sensitive files, install malware, or pivot to other systems on the network. The ability to execute arbitrary commands makes this a high-risk vulnerability, especially in environments where whereis is used to locate files based on user-supplied input.

Exploitation Context

This vulnerability is considered critical due to the ease of exploitation and the potential impact. While no active exploitation campaigns have been publicly reported, the simplicity of command injection vulnerabilities often makes them attractive targets. The vulnerability was disclosed publicly on July 31, 2018, and is not currently listed on CISA KEV. Public proof-of-concept exploits are likely to emerge if they don't already exist.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.59% (69% percentile)

CVSS Vector

Affected Software

Componentwhereis

Vendorosv

Affected rangeFixed in

—0.4.1

Timeline

Published2018-07-31
Modified2023-11-08
EPSS updated2026-04-02

Mitigation and Workarounds

The primary mitigation for CVE-2018-3772 is to upgrade to version 0.4.1 or later of the whereis package within your NodeJS project. If upgrading is not immediately feasible, consider implementing input validation and sanitization to prevent untrusted data from being passed to whereis. Additionally, restrict the permissions of the NodeJS process to minimize the potential damage from a successful exploit. After upgrading, confirm the fix by attempting to execute a command through whereis with malicious input; it should be properly sanitized and not execute.

How to fix

No official patch available. Check for workarounds or monitor for updates.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2018-3772 — Command Injection in NodeJS whereis?

CVE-2018-3772 is a critical command injection vulnerability in NodeJS whereis versions before 0.4.1, allowing attackers to execute arbitrary commands.

Am I affected by CVE-2018-3772 in NodeJS whereis?

You are affected if you are using NodeJS whereis versions earlier than 0.4.1 and are passing untrusted input to the whereis utility.

How do I fix CVE-2018-3772 in NodeJS whereis?

Upgrade to version 0.4.1 or later of the whereis package. Implement input validation as a temporary workaround if upgrading is not immediately possible.

Is CVE-2018-3772 being actively exploited?

While no active exploitation campaigns have been publicly confirmed, the vulnerability's ease of exploitation makes it a potential target.

Where can I find the official NodeJS advisory for CVE-2018-3772?

Refer to the relevant security advisories and documentation from the NodeJS community and the whereis package maintainers for detailed information.