PGV-2065719 - Command Injection in tree-kill

Disclosed on September 04, 2020 (updated May 11, 2026)

Vulnerability Overview

PGV-2065719 is a category 4 vulnerabilty that affects tree-kill, versions < 1.2.2

CVSS Scores:

Risk Assessment

The risk assessment shows that this vulnerability is exlpoited by a external attacker. An unauthorized external actor who attempts to exploit this vulnerability without legitimate access.

The impact is contained to the application. Exploitation remains confined to the application and cannot affect the host environment or external systems.

The threat damage is caused by a denial of service. Exploitation can completely deny access to the application, resulting in a full outage.is caused by a data breach. Exploitation can result in full access to data within the system.is caused by data tampering. Exploitation can result in modification of any data (authorized or not) within the system.

Vulnerability Details

Versions of tree-kill prior to 1.2.2 are vulnerable to Command Injection. The package fails to sanitize values passed to the kill function. If this value is user-controlled it may allow attackers to run arbitrary commands in the server. The issue only affects Windows systems.

Recommendation

Upgrade to version 1.2.2 or later.

Common Weakness Enumerations

CWE-94 - Improper Control of Generation of Code ('Code Injection')

Additional References

Your Risk Profile

Network Exposure	External Accessable from the public internet
Access Interface	WebBrowser Primarily web-based applications
Service Outage	Disruptive Operations would be impacted
Data Breach	Disruptive Operations would be impacted
Data Tampering	Disruptive Operations would be impacted
Customize

Additional Identifiers

CVE-2019-15599
GHSA-884p-74jh-xrg2