oss-sec mailing list archives
NodeJS Command injection via args parameter of child_process.spawn without shell option enabled on Windows (CVE-2024-27980)
From: Jan Schaumann <jschauma () netmeister org>
Date: Wed, 10 Apr 2024 13:36:20 -0400
Rafael Gonzaga <work () rafaelgss dev> wrote:
The planned security releases are now available. You can read more about the details at https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2
Trimmed 'links -dump' output: Wednesday, April 10, 2024 Security Releases Security releases available Updates are now available for the 18.x, 20.x, 21.x Node.js release lines for the following issues. Command injection via args parameter of child_process.spawn without shell option enabled on Windows (CVE-2024-27980) - (HIGH) Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled. Impact: * This vulnerability affects all users in active release lines: 18.x, 20.x, 21.x Thank you, to ryotak for reporting this vulnerability and thank you Ben Noordhuis for fixing it. --- Sending these details could be automated from a simple procmail filter, if desired. -Jan
Current thread:
- Fwd: Node.js security update for all active relesae lines, April 9 2024 Rafael Gonzaga (Apr 04)
- <Possible follow-ups>
- Fwd: Node.js security update for all active relesae lines, April 9 2024 Rafael Gonzaga (Apr 10)
- NodeJS Command injection via args parameter of child_process.spawn without shell option enabled on Windows (CVE-2024-27980) Jan Schaumann (Apr 10)