## treeKill Command Injection Vulnerability Patched on Windows — Number.isNaN() Validation Flaw Exploitable
A command injection vulnerability in the treeKill utility function on Windows has been patched, after researchers discovered that string validation logic was fundamentally flawed. The original code used `Number.isNaN()` to validate process ID arguments before passing them to `child_process.exec`, but the method does not behave as developers likely intended when handling string inputs. Non-numeric strings containing shell commands could bypass the check, enabling arbitrary command execution on affected systems.

The vulnerability stems from a subtle behavior in JavaScript's type checking. `Number.isNaN()` returns `false` for any string that is not the exact value `NaN`, including strings with embedded semicolons or other shell metacharacters. This means a malicious input such as `"123; calc.exe"` would pass the validation check and be interpolated directly into a shell command, executing unintended code. The flaw affected any application using treeKill for process termination on Windows.

The fix implements three layers of defense. First, a strict regex pattern `/^\d+$/` now ensures the PID argument contains only digits, rejecting any input with shell operators. Second, the implementation switched from `child_process.exec` to `child_process.spawn` for the `taskkill` command, which executes the binary directly without shell interpretation. Third, an explicit error handler was added to the spawned process. Tests in `packages/cli-kit/src/public/node/tree-kill.test.ts` verify that malicious PID strings fail validation and that `taskkill` is invoked correctly. Users of the affected package should update immediately to mitigate the risk of arbitrary command execution.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: command-injection, cve, vulnerability, nodejs, windows
- **Credibility**: unverified
- **Published**: 2026-05-01 00:54:15
- **ID**: 78758
- **URL**: https://whisperx.ai/en/intel/78758