CVE-2019-15598: Treekill Enables OS Command Injection
(updated )
A Code Injection exists in treekill and tree-kill on Windows which allows a remote code execution when an attacker is able to control the input into the command.
References
- github.com/advisories/GHSA-j7fq-p9q7-5wfv
- github.com/node-modules/treekill/blob/master/index.js
- github.com/pkrumins/node-tree-kill
- github.com/pkrumins/node-tree-kill/commit/ff73dbf144c4c2daa67799a50dfff59cd455c63c
- github.com/pkrumins/node-tree-kill/issues/30
- github.com/pkrumins/node-tree-kill/pull/31
- hackerone.com/reports/701183
- hackerone.com/reports/703415
- nvd.nist.gov/vuln/detail/CVE-2019-15598
- security.snyk.io/vuln/SNYK-JS-TREEKILL-536781
Detect and mitigate CVE-2019-15598 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →