All versions of traceroute are vulnerable to Command Injection. The package fails to sanitize input and passes it directly to an exec call, which may allow attackers to execute arbitrary code in the system. The trace function is vulnerable and can be abused if the host value is controlled by an attacker.

Recommendation

No fix is currently available. Consider using an alternative package until a fix is made available.

References

• https://snyk.io/vuln/npm:traceroute:20160311
• https://www.npmjs.com/advisories/1465
• https://github.com/jaw187/node-traceroute