CVE-2019-15599
Description
A code injection vulnerability in tree-kill for Windows allows remote code execution via unsanitized pid input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A code injection vulnerability in tree-kill for Windows allows remote code execution via unsanitized pid input.
Vulnerability
The tree-kill Node.js package for Windows contained a code injection vulnerability. The package's kill function passed the pid parameter directly to a system command (taskkill via child_process.exec) without proper sanitization. This allowed an attacker who could control the pid argument to inject arbitrary shell commands [1][3].
Exploitation
An attacker can exploit this by providing a malicious string as the pid parameter, for example through user input or an API that accepts process IDs. No special privileges are required beyond access to a function that calls tree-kill with attacker-controlled input. On Windows, the command injected would be executed with the privileges of the Node.js process [3].
Impact
Successful exploitation results in remote code execution (RCE) on the target system. The attacker could execute arbitrary commands, potentially leading to data theft, system compromise, or further lateral movement within a network [1].
Mitigation
The vulnerability was fixed in version 1.2.2 of tree-kill, released on 2019-12-11. The fix sanitizes the pid parameter by parsing it with parseInt and rejecting non-numeric values, preventing command injection [2][4]. Users are advised to upgrade to version 1.2.2 or later.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tree-killnpm | < 1.2.2 | 1.2.2 |
Affected products
2- tree-kill/tree-killdescription
Patches
1deee138a8cbcfix: handle sanitising better, add tests
2 files changed · +35 −7
index.js+12 −7 modified@@ -5,19 +5,24 @@ var spawn = childProcess.spawn; var exec = childProcess.exec; module.exports = function (pid, signal, callback) { - if (typeof pid !== "number") { - throw new Error("pid must be a number"); + if (typeof signal === 'function' && callback === undefined) { + callback = signal; + signal = undefined; + } + + pid = parseInt(pid); + if (Number.isNaN(pid)) { + if (callback) { + return callback(new Error("pid must be a number")); + } else { + throw new Error("pid must be a number"); + } } var tree = {}; var pidsToProcess = {}; tree[pid] = []; pidsToProcess[pid] = 1; - - if (typeof signal === 'function' && callback === undefined) { - callback = signal; - signal = undefined; - } switch (process.platform) { case 'win32':
test/test.js+23 −0 modified@@ -31,4 +31,27 @@ describe('kill()', function(){ return done() }) }) + + it('should reject invalid pid', function(done){ + var p = fork('./test/spin') + assert.ok(p.pid) + + kill('rm -rf /dev/null', function(err) { + assert.ok(typeof err === 'object') + return done() + }) + }) + + it('should reject invalid pids even if no callback', function(done){ + var p = fork('./test/spin') + assert.ok(p.pid) + + try { + kill('rm -rf /dev/null') + assert.fail('should have thrown') + } catch (err) { + assert.ok(typeof err === 'object') + return done(); + } + }) })
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-884p-74jh-xrg2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-15599ghsaADVISORY
- github.com/pkrumins/node-tree-kill/commit/deee138a8cbc918463d8af5ce8c2bec33c3fd164ghsaWEB
- github.com/pkrumins/node-tree-kill/releases/tag/v1.2.2ghsaWEB
- hackerone.com/reports/701183ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.