GMS-2020-791: Command Injection in tree-kill

September 4, 2020 (updated October 4, 2021)

Versions of tree-kill prior to 1.2.2 are vulnerable to Command Injection. The package fails to sanitize values passed to the kill function. If this value is user-controlled it may allow attackers to run arbitrary commands in the server. The issue only affects Windows systems.

Recommendation

Upgrade to version 1.2.2 or later.

References

github.com/advisories/GHSA-884p-74jh-xrg2
hackerone.com/reports/701183
www.npmjs.com/advisories/1432

Code Behaviors & Features

Detect and mitigate GMS-2020-791 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →