Description
A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.
References (8)
Core 8
Core References
Exploit, Third Party Advisory
https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/
Third Party Advisory
https://kb.cert.org/vuls/id/123335
Technical Description
https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way
Not Applicable
https://www.cve.org/CVERecord?id=CVE-2024-1874
Not Applicable
https://www.cve.org/CVERecord?id=CVE-2024-22423
Not Applicable
https://www.cve.org/CVERecord?id=CVE-2024-24576
Not Applicable
https://www.kb.cert.org/vuls/id/123335
Scores
CVSS v3
9.8
EPSS
0.0960
EPSS Percentile
93.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-77
Status
published
Products (9)
golang/go
haskell/process_library
1.6.19.0
haskell/process_library
< 1.6.19.0
nodejs/node.js
< 18.20.2
nodejs/node.js
< 21.7.2
php/php
rust-lang/rust
1.77.2
rust-lang/rust
< 1.77.2
yt-dlp_project/yt-dlp
Published
Apr 10, 2024
Tracked Since
Feb 18, 2026