CVE-2024-36138

HIGH

Node.js < 18.20.4, 20.0-20.15.1, 22.0-22.4.1 - Command Injection via child_process.spawn

Title source: llm

Description

Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.

References (2)

Core 2

Core References

Various Sources

https://nodejs.org/en/blog/vulnerability/july-2024-security-releases

Vendor Advisory

https://security.netapp.com/advisory/ntap-20241108-0010/

Scores

CVSS v3 8.1

EPSS 0.0026

EPSS Percentile 49.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-77

Status published

Products (19)

NodeJS/Node 10.0 - 10.*

NodeJS/Node 11.0 - 11.*

NodeJS/Node 12.0 - 12.*

NodeJS/Node 13.0 - 13.*

NodeJS/Node 14.0 - 14.*

NodeJS/Node 15.0 - 15.*

NodeJS/Node 16.0 - 16.*

NodeJS/Node 17.0 - 17.*

NodeJS/Node 18.0 - 18.20.4

NodeJS/Node 19.0 - 19.*

... and 9 more

Published Sep 07, 2024

Tracked Since Feb 18, 2026