Duplicate Advisory: tree-kill vulnerable to remote code execution
Critical severity
GitHub Reviewed
Published
May 24, 2022
to the GitHub Advisory Database
•
Updated Nov 8, 2023
Withdrawn
This advisory was withdrawn on Nov 8, 2023
Description
Published by the National Vulnerability Database
Dec 18, 2019
Published to the GitHub Advisory Database
May 24, 2022
Reviewed
Oct 19, 2023
Withdrawn
Nov 8, 2023
Last updated
Nov 8, 2023
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-884p-74jh-xrg2. Ths link is maintained to preserve external references.
Original Description
A Code Injection exists in tree-kill on Windows which allows a remote code execution when an attacker is able to control the input into the command, which is executed without any check. The issue arises here:
https://github.com/pkrumins/node-tree-kill/blob/master/index.js#L20
. While the Linux part is sanitized, the Windows on simply uses the+
operand to concatenate the input intoexec()
Steps To Reproduce:
Create the following PoC file:
Execute the following commands in another terminal:
A new file called
HACKED.txt
will be created, containing theHACKED
string.References