Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

NodeJS Command injection via args parameter of child_process.spawn without shell option enabled on Windows (CVE-2024-27980)

Related Vulnerabilities: CVE-2024-27980  
Source 
                Rafael Gonzaga <work () rafaelgss dev> wrote:
 

Trimmed 'links -dump' output:

   Wednesday, April 10, 2024 Security Releases

Security releases available

   Updates are now available for the 18.x, 20.x, 21.x Node.js release lines
   for the following issues.

Command injection via args parameter of child_process.spawn without shell option
enabled on Windows (CVE-2024-27980) - (HIGH)

   Due to the improper handling of batch files in child_process.spawn /
   child_process.spawnSync, a malicious command line argument can inject
   arbitrary commands and achieve code execution even if the shell option is
   not enabled.

   Impact:

     * This vulnerability affects all users in active release lines: 18.x,
       20.x, 21.x

   Thank you, to ryotak for reporting this vulnerability and thank you Ben
   Noordhuis for fixing it.

---

Sending these details could be automated from a simple
procmail filter, if desired.

-Jan

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started