Description
Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.
Published: 2025-01-09
Score: 8.1 High
EPSS: 1.4% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

No analysis available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2024-25154 Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.
History

Thu, 09 Jan 2025 22:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 09 Jan 2025 01:00:00 +0000

Type Values Removed Values Added
Description A command injection flaw was found in Node.js exclusive to Windows environments. This flaw allows an attacker to perform command injection via the args parameter of child_process.spawn without the shell option enabled on Windows. This behavior is caused by cmd.exe when executing batch files, which has complicated parsing rules for arguments that were not able to be safely escaped. It is possible to inject commands if an attacker can control part of the command arguments of the batch file. Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.
References
Metrics cvssV3_0

{'score': 8.1, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2025-04-30T22:25:25.133Z

Reserved: 2024-02-29T01:04:06.640Z

Link: CVE-2024-27980

cve-icon Vulnrichment

Updated: 2025-01-09T21:32:59.312Z

cve-icon NVD

Status : Deferred

Published: 2025-01-09T01:15:08.367

Modified: 2026-06-17T07:20:42.723

Link: CVE-2024-27980

cve-icon Redhat

Severity :

Publid Date: 2024-04-09T00:00:00Z

Links: CVE-2024-27980 - Bugzilla

cve-icon OpenCVE Enrichment

No data.

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')

  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')