Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2024-27980

Source

                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
NodeJS Command injection via args parameter of child_process.spawn without shell option enabled on Windows (CVE-2024-27980)

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Jan Schaumann &lt;jschauma () netmeister org&gt;

Date: Wed, 10 Apr 2024 13:36:20 -0400

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Rafael Gonzaga &lt;work () rafaelgss dev&gt; wrote:
 
The planned security releases are now available. You can read more about 
the details at 
https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2

Trimmed 'links -dump' output:

   Wednesday, April 10, 2024 Security Releases

Security releases available

   Updates are now available for the 18.x, 20.x, 21.x Node.js release lines
   for the following issues.

Command injection via args parameter of child_process.spawn without shell option
enabled on Windows (CVE-2024-27980) - (HIGH)

   Due to the improper handling of batch files in child_process.spawn /
   child_process.spawnSync, a malicious command line argument can inject
   arbitrary commands and achieve code execution even if the shell option is
   not enabled.

   Impact:

     * This vulnerability affects all users in active release lines: 18.x,
       20.x, 21.x

   Thank you, to ryotak for reporting this vulnerability and thank you Ben
   Noordhuis for fixing it.

---

Sending these details could be automated from a simple
procmail filter, if desired.

-Jan

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

Fwd: Node.js security update for all active relesae lines, April 9 2024 Rafael Gonzaga (Apr 04)

&lt;Possible follow-ups&gt;
Fwd: Node.js security update for all active relesae lines, April 9 2024 Rafael Gonzaga (Apr 10)

NodeJS Command injection via args parameter of child_process.spawn without shell option enabled on Windows (CVE-2024-27980) Jan Schaumann (Apr 10)

 

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

NodeJS Command injection via args parameter of child_process.spawn without shell option enabled on Windows (CVE-2024-27980)

Vulmon Search

About

Products

Connect