Rafael Gonzaga <work () rafaelgss dev> wrote:
Trimmed 'links -dump' output:
Wednesday, April 10, 2024 Security Releases
Security releases available
Updates are now available for the 18.x, 20.x, 21.x Node.js release lines
for the following issues.
Command injection via args parameter of child_process.spawn without shell option
enabled on Windows (CVE-2024-27980) - (HIGH)
Due to the improper handling of batch files in child_process.spawn /
child_process.spawnSync, a malicious command line argument can inject
arbitrary commands and achieve code execution even if the shell option is
not enabled.
Impact:
* This vulnerability affects all users in active release lines: 18.x,
20.x, 21.x
Thank you, to ryotak for reporting this vulnerability and thank you Ben
Noordhuis for fixing it.
---
Sending these details could be automated from a simple
procmail filter, if desired.
-Jan