Shopify CLI Kit Patches Command Injection Flaw in tree-kill.ts on Windows

A command injection vulnerability has been identified and disclosed in `packages/cli-kit/src/public/node/tree-kill.ts`, specifically affecting Windows environments. The flaw allowed attackers to execute arbitrary system commands by supplying a maliciously crafted PID string through the `exec` function without proper sanitization. A proof-of-concept attack vector includes strings such as `123 & calc`, where the ampersand triggers execution of a secondary command after the intended process termination.

The root cause stems from two compounding failures in input validation. First, the original implementation passed unsanitized PID strings directly to the `exec` call, enabling command injection. Second, the validation logic relied on `Number.isNaN()` to check whether a PID string was numeric—a fundamentally broken approach, since `Number.isNaN()` returns `false` for non-numeric strings without performing type coercion. This means strings like `"abc"` would pass validation and reach the vulnerable `exec` call, rather than being rejected at the gate.

The disclosure includes a new test file, `packages/cli-kit/src/public/node/tree-kill.test.ts`, which validates that non-numeric PIDs are properly rejected and that numeric PIDs are routed to `execFile` as intended. Developers using `@shopify/cli-kit` on Windows are advised to verify they are running patched versions. The issue was confirmed as a novel finding with no prior addressing in the project's commit history, and a fix is being implemented alongside the test coverage.