Vulnerability details: Node-ps package encountered design weakness. It found a injection point in lib/index.js. Perhaps it should avoid using the exec() function and use execFile() instead. The execFile() function will execute a single command and does not spawn a shell by default which makes it safer than exec().
Remark: By default, pipes for
stderr are established between the parent Node.js process and the spawned subprocess.
Official announcement: https://nvd.nist.gov/vuln/detail/CVE-2020-7785