CVE-2019-15599
Command Injection in tree-kill
EPSS 3.8%
Description
Versions of `tree-kill` prior to 1.2.2 are vulnerable to Command Injection. The package fails to sanitize values passed to the `kill` function. If this value is user-controlled it may allow attackers to run arbitrary commands in the server. The issue only affects Windows systems. ## Recommendation Upgrade to version 1.2.2 or later.
How to fix CVE-2019-15599
To remediate CVE-2019-15599, upgrade the affected package to a fixed version below.
- npm/tree-kill—upgrade to 1.2.2 or later
Is CVE-2019-15599 being exploited?
Low — EPSS is 3.8%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.2.2