A Command Injection vulnerability found in tree-kill before 1.2.2. The package fails to sanitize values passed to the kill function. If this value is user-controlled it may allow attackers to run arbitrary commands in the server. The issue only affects Windows systems.
WS-2020-0005 - High Severity Vulnerability
kill trees of processes
Library home page: https://registry.npmjs.org/tree-kill/-/tree-kill-1.2.1.tgz
Path to dependency file: /tmp/ws-scm/spotfire-wrapper/package.json
Path to vulnerable library: /tmp/ws-scm/spotfire-wrapper/node_modules/tree-kill/package.json
Dependency Hierarchy: - build-angular-0.801.0.tgz (Root Library) - :x: **tree-kill-1.2.1.tgz** (Vulnerable Library)
Found in HEAD commit: ac7f9a1f086fd622e9c4b8f3cfc24e567153a179
A Command Injection vulnerability found in tree-kill before 1.2.2. The package fails to sanitize values passed to the kill function. If this value is user-controlled it may allow attackers to run arbitrary commands in the server. The issue only affects Windows systems.
Publish Date: 2020-01-15
URL: WS-2020-0005
Base Score Metrics not available
Type: Upgrade version
Origin: https://hackerone.com/reports/701183
Release Date: 2020-01-15
Fix Resolution: tree-kill - 1.2.2