1.2.2
CVE-2019-15598 is a Command Injection vulnerability discovered in the tree-kill Node.js module. This flaw allows an attacker to execute arbitrary commands on the system if they can control the input provided to the tree-kill function. The vulnerability affects versions prior to 1.2.2 and can lead to complete system compromise. A patch was released in version 1.2.2.
The impact of CVE-2019-15598 is severe. An attacker can leverage this vulnerability to execute arbitrary commands with the privileges of the Node.js process. This could involve installing malware, stealing sensitive data, modifying system files, or establishing a persistent backdoor. The attack is particularly concerning because it can be triggered remotely via a crafted input string, potentially bypassing traditional security controls. The provided proof-of-concept demonstrates the ease with which an attacker can create a file named HACKED.txt on the system, indicating successful command execution.
This vulnerability was publicly disclosed in 2019 but gained renewed attention with the release of a clear proof-of-concept in 2022. While not currently listed on KEV, the high CVSS score and readily available exploit suggest a medium probability of exploitation. Public proof-of-concept code is available, making it relatively easy for attackers to exploit the vulnerability. The NVD was published on May 24, 2022.
Applications and systems utilizing the tree-kill Node.js module in their dependencies are at risk. This includes projects that rely on tree-kill for process management or tree traversal. Specifically, applications with weak input validation or those running with elevated privileges are particularly vulnerable.
• nodejs / supply-chain:
Get-Process | Where-Object {$_.ProcessName -like '*node*'} | Select-Object -ExpandProperty Path• nodejs / supply-chain:
Get-ChildItem -Path Env:NODE_PATH -Recurse -Filter "tree-kill*" | Select-Object -ExpandProperty FullName• generic web:
find / -name "node_modules/tree-kill" 2>/dev/nulldiscovery
disclosure
patch
エクスプロイト状況
EPSS
3.75% (88% パーセンタイル)
CVSS ベクトル
The primary mitigation for CVE-2019-15598 is to upgrade the tree-kill module to version 1.2.2 or later. If upgrading is not immediately feasible, consider implementing input sanitization to validate and escape any user-supplied data passed to the tree-kill function. This could involve using a library specifically designed for command injection prevention. Additionally, restrict the permissions of the Node.js process to minimize the potential damage from a successful exploit. There are no specific WAF rules or detection signatures readily available, making input validation the most critical defense.
脆弱性のコードインジェクションを修正するパッチバージョンに treekill ユーティリティをアップデートしてください。これにより、攻撃者がコマンドへの入力を制御した場合のリモートコード実行を防ぐことができます。具体的なアップデート手順については、リリースノートまたはベンダーのウェブサイトを参照してください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2019-15598 is a critical Command Injection vulnerability in the tree-kill Node.js module, allowing attackers to execute arbitrary commands on the system.
You are affected if you are using a version of the tree-kill module prior to 1.2.2 and are not properly sanitizing input to the tree-kill function.
Upgrade the tree-kill module to version 1.2.2 or later. If upgrading is not possible, implement robust input sanitization to prevent command injection.
While there are no confirmed reports of active exploitation, the vulnerability's high CVSS score and readily available proof-of-concept code suggest a potential risk.
Refer to the npm advisory for CVE-2019-15598: https://www.npmjs.com/advisories/1031