tree-kill-1.2.1.tgz: 1 vulnerabilities (highest severity is: 9.8)

[dev-mend-for-github-com[bot]]

Vulnerable Library - tree-kill-1.2.1.tgz

kill trees of processes

Library home page: https://registry.npmjs.org/tree-kill/-/tree-kill-1.2.1.tgz

Found in HEAD commit: d3aa03c77002ed1f61a679726c02bc0494d073c2

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (tree-kill version)	Remediation Possible**
CVE-2019-15599	Critical	9.8	tree-kill-1.2.1.tgz	Direct	1.2.2	❌

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2019-15599

### Vulnerable Library - tree-kill-1.2.1.tgz

kill trees of processes

Library home page: https://registry.npmjs.org/tree-kill/-/tree-kill-1.2.1.tgz

Dependency Hierarchy: - :x: **tree-kill-1.2.1.tgz** (Vulnerable Library)

Found in HEAD commit: d3aa03c77002ed1f61a679726c02bc0494d073c2

Found in base branch: main

### Vulnerability Details

A Code Injection exists in tree-kill on Windows which allows a remote code execution when an attacker is able to control the input into the command.

Publish Date: 2019-12-18

URL: CVE-2019-15599

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/701183

Release Date: 2019-12-18

Fix Resolution: 1.2.2