CVE-2019-15598
Code Injection vulnerability in tree-kill
What is CVE-2019-15598 About?
This vulnerability is a Code Injection flaw in the `treekill` and `tree-kill` npm packages on Windows systems. It allows for remote code execution when an attacker can control the input provided to the command execution function. Exploitation is demonstrated to be straightforward with a clear proof-of-concept.
Affected Software
Technical Details
The `treekill` and `tree-kill` packages on Windows are vulnerable to code injection. The core of the issue lies in how these packages handle the command string passed to an underlying system command execution function (likely `child_process.exec` or similar). If an attacker can control part of the input to the `kill()` function, they can inject arbitrary shell commands. As demonstrated by the PoC, an attacker can append an arbitrary command using standard shell command separators (e.g., `&`, `&&`) to the process ID input. When this crafted string is executed by the OS shell, the injected command runs alongside the intended `treekill` operation, leading to remote code execution. This is due to insufficient sanitization or escaping of user-controlled input before constructing the command string.
What is the Impact of CVE-2019-15598?
Successful exploitation may allow attackers to execute arbitrary operating system commands, install malicious software, exfiltrate sensitive data, or completely compromise the underlying system.
What is the Exploitability of CVE-2019-15598?
Exploitation of this Code Injection vulnerability is of low complexity. An attacker requires the ability to control the input argument to the `kill()` function in applications using the `treekill` or `tree-kill` packages. This could be achieved if the application exposes an API endpoint that takes user-supplied input and directly passes it to `kill()`. No authentication is generally required if such an endpoint is publicly accessible. This is a remote execution vulnerability, assuming the attacker can remotely influence the input parameter. The primary prerequisite is the application running on a Windows environment and using the vulnerable package version. The risk is significantly higher in applications that do not validate or sanitize external input before using it in system commands.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-15598?
Available Upgrade Options
- tree-kill
- <1.2.2 → Upgrade to 1.2.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2019-15598
- https://github.com/node-modules/treekill/blob/master/index.js#L32
- https://hackerone.com/reports/703415
- https://github.com/pkrumins/node-tree-kill/pull/31
- https://hackerone.com/reports/701183
- https://hackerone.com/reports/703415
- https://github.com/pkrumins/node-tree-kill
- https://security.snyk.io/vuln/SNYK-JS-TREEKILL-536781
- https://github.com/pkrumins/node-tree-kill/commit/ff73dbf144c4c2daa67799a50dfff59cd455c63c
- https://github.com/pkrumins/node-tree-kill/issues/30
What are Similar Vulnerabilities to CVE-2019-15598?
Similar Vulnerabilities: CVE-2023-45803 , CVE-2023-38035 , CVE-2023-29402 , CVE-2023-28185 , CVE-2023-0857
