Skip to content

[GHSA-884p-74jh-xrg2] Command Injection in tree-kill#7455

Closed
Wenxin-Jiang wants to merge 1 commit intoWenxin-Jiang/advisory-improvement-7455from
Wenxin-Jiang-GHSA-884p-74jh-xrg2
Closed

[GHSA-884p-74jh-xrg2] Command Injection in tree-kill#7455
Wenxin-Jiang wants to merge 1 commit intoWenxin-Jiang/advisory-improvement-7455from
Wenxin-Jiang-GHSA-884p-74jh-xrg2

Conversation

@Wenxin-Jiang
Copy link
Copy Markdown

@Wenxin-Jiang Wenxin-Jiang commented Apr 20, 2026

Updates

  • Affected products

Comments
CVE-2019-15599 is exploitable only through the Windows branch exec('taskkill /pid ' + pid + ' /T /F'), which was first added in 0.0.4 when process.platform === 'win32' support was introduced.

Versions 0.0.1–0.0.3 are Unix-only and invoke spawn('ps', [...]) exclusively—argv form, no shell, no attacker-controlled string interpolation—so the vulnerable sink does not exist.

Fix commit deee138a (1.2.2) guards the same exec call with parseInt/Number.isNaN, confirming it as the sole sink.

@github-actions github-actions Bot changed the base branch from main to Wenxin-Jiang/advisory-improvement-7455 April 20, 2026 14:52
@helixplant helixplant mentioned this pull request Apr 22, 2026
Closed
@helixplant helixplant closed this Apr 22, 2026
@github-actions github-actions Bot deleted the Wenxin-Jiang-GHSA-884p-74jh-xrg2 branch April 22, 2026 19:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Wenxin-Jiang @helixplant