Описание
Command Injection in tree-kill
Versions of tree-kill prior to 1.2.2 are vulnerable to Command Injection. The package fails to sanitize values passed to the kill function. If this value is user-controlled it may allow attackers to run arbitrary commands in the server. The issue only affects Windows systems.
Recommendation
Upgrade to version 1.2.2 or later.
Пакеты
Наименование
tree-kill
npm
Затронутые версииВерсия исправления
< 1.2.2
1.2.2
Связанные уязвимости
CVSS3: 9.8
nvd
около 6 лет назад
A Code Injection exists in tree-kill on Windows which allows a remote code execution when an attacker is able to control the input into the command.