CVE-2019-15598
Description
A command injection in the tree-kill npm package on Windows allows remote code execution when an attacker controls the PID input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A command injection in the tree-kill npm package on Windows allows remote code execution when an attacker controls the PID input.
Vulnerability
The tree-kill npm package, which provides a cross-platform way to kill process trees, contains a code injection vulnerability in its Windows implementation. The flaw arises because the package passes the pid parameter directly to a shell command without sanitization. On Windows, the library uses taskkill /pid PID /T /F to kill a process tree. If an attacker can control the pid value, they can inject arbitrary commands that will be executed by the shell [1][3].
Exploitation
The attack vector relies on an attacker being able to supply a malicious pid argument to the tree-kill function. No authentication is required if the function is used in a context where untrusted user input reaches the pid parameter (e.g., a web application accepting a process ID from user input). On Windows, the injected string can include shell metacharacters such as |, &, or ; to execute arbitrary commands alongside the intended taskkill command [2][3].
Impact
Successful exploitation enables arbitrary code execution on the target system with the same privileges as the process that called tree-kill. An attacker could install programs, modify data, create new accounts, or perform any other action allowed by those privileges. The vulnerability is classified as critical and was assigned CVE-2019-15598 with a CVSS v3 score of 9.8 [2].
Mitigation
The maintainers patched the issue in version 1.2.2 of tree-kill, released on 2019-12-11. The fix sanitizes the pid parameter by ensuring it is a numeric value before passing it to the shell command [1][4]. Users should update to version 1.2.2 or later. No workaround is available other than upgrading.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tree-killnpm | < 1.2.2 | 1.2.2 |
Affected products
2- treekill/treekilldescription
Patches
1ff73dbf144c4fix: sanitise pid parameter (#31)
1 file changed · +4 −0
index.js+4 −0 modified@@ -5,6 +5,10 @@ var spawn = childProcess.spawn; var exec = childProcess.exec; module.exports = function (pid, signal, callback) { + if (typeof pid !== "number") { + throw new Error("pid must be a number"); + } + var tree = {}; var pidsToProcess = {}; tree[pid] = [];
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-j7fq-p9q7-5wfvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-15598ghsaADVISORY
- github.com/node-modules/treekill/blob/master/index.jsghsaWEB
- github.com/pkrumins/node-tree-kill/commit/ff73dbf144c4c2daa67799a50dfff59cd455c63cghsaWEB
- github.com/pkrumins/node-tree-kill/issues/30ghsaWEB
- github.com/pkrumins/node-tree-kill/pull/31ghsaWEB
- hackerone.com/reports/701183ghsaWEB
- hackerone.com/reports/703415ghsax_refsource_MISCWEB
- security.snyk.io/vuln/SNYK-JS-TREEKILL-536781ghsaWEB
News mentions
0No linked articles in our index yet.