CVE-2024-27980

HIGH

Node.js < 18.20.2, 19.x, < 20.12.2, < 21.7.3 - Command Injection via child_process.spawn

Title source: llm

Description

Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.

References (5)

Core 5

Core References

Mailing List, Third Party Advisory

https://lists.fedoraproject.org/archives/list/[email protected]/message/5MZN6PFXHTCCUENAKZXTGWPKUAHI6E2W/

Mailing List

http://www.openwall.com/lists/oss-security/2024/04/10/15

Mailing List, Third Party Advisory

https://lists.fedoraproject.org/archives/list/[email protected]/message/JUWBYDVCUSCX7YWTBX75LADMCVYFBGKU/

Mailing List

http://www.openwall.com/lists/oss-security/2024/07/11/6

Mailing List

http://www.openwall.com/lists/oss-security/2024/07/19/3

Scores

CVSS v3 8.1

EPSS 0.0027

EPSS Percentile 50.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-77

Status published

Products (18)

NodeJS/Node 10.0 - 10.*

NodeJS/Node 11.0 - 11.*

NodeJS/Node 12.0 - 12.*

NodeJS/Node 13.0 - 13.*

NodeJS/Node 14.0 - 14.*

NodeJS/Node 15.0 - 15.*

NodeJS/Node 16.0 - 16.*

NodeJS/Node 17.0 - 17.*

NodeJS/Node 18.0 - 18.20.2

NodeJS/Node 19.0 - 19.*

... and 8 more

Published Jan 09, 2025

Tracked Since Feb 18, 2026