CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-27980: Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject...

8.1 CVSS

Description

Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.

Classification

CVE ID: CVE-2024-27980

CVSS Base Severity: HIGH

CVSS Base Score: 8.1

Affected Products

Vendor: Node.js

Product: Node.js

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 17.82% (scored less or equal to compared to others)

EPSS Date: 2025-02-07 (when was this score calculated)

References

http://www.openwall.com/lists/oss-security/2024/04/10/15
http://www.openwall.com/lists/oss-security/2024/07/11/6
http://www.openwall.com/lists/oss-security/2024/07/19/3
https://lists.fedoraproject.org/archives/list/[email protected]/message/5MZN6PFXHTCCUENAKZXTGWPKUAHI6E2W/
https://lists.fedoraproject.org/archives/list/[email protected]/message/JUWBYDVCUSCX7YWTBX75LADMCVYFBGKU/

Timeline

2025-01-10 00:30:44 UTC
CVE

Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject...