Description
launch-editor allows users to open files with line numbers in editor from Node.js. Prior to version 2.9.0, due to the insufficient sanitization of the `file` argument in the `launchEditor`, an attacker can execute arbitrary commands on Windows by supplying a filename that contains special characters. This issue has been fixed in the `launch-editor` version 2.9.0, corresponding to vite version 5.4.9.
Published: 2026-06-01
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the launch-editor module used within Vite, which transforms a file path and line number into a command to open the file in an editor. Prior to version 2.9.0, the module fails to properly sanitize the file argument, allowing an attacker to inject command line characters on Windows. As a result an attacker who can supply the filename can execute arbitrary commands with the privileges of the running Node.js process, representing a classic command injection flaw (CWE‑77) and referencing an additional identified weakness (CWE‑88). If exploited, the attacker could gain control over the host system or read/write arbitrary files, compromising confidentiality, integrity, and availability of the application and data.

Affected Systems

The flaw affects the vitejs:launch-editor package and its ancestor vitejs:vite. All releases before launch‑editor 2.9.0 (which corresponds to Vite 5.4.9) are vulnerable. The issue is relevant to any Node.js application that imports launch-editor or calls its launchEditor method with a user‑controlled filename.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, while the EPSS score is not available, making it unclear how often the flaw is actively exploited. The vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed widespread exploitation at the time of the advisory. The attack vector requires that an attacker can influence the filename passed to launchEditor, typically through a user‑facing API, CLI command, or malformed request. If such influence is possible, successful exploitation would allow remote code execution with the privileges of the Node.js process.

Generated by OpenCVE AI on June 2, 2026 at 13:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade launch-editor to version 2.9.0 or newer, ensuring your Vite installation is also updated to 5.4.9 or later.
  • Sanitize or validate any filenames that may be supplied to launchEditor, and avoid passing untrusted data directly to the method.
  • Stay alert for additional advisories from the Vite maintainers and keep all related npm packages up to date to mitigate future vulnerabilities.

Generated by OpenCVE AI on June 2, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c27g-q93r-2cwf launch-editor vulnerable to command injection via the crafted request on Windows
History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Vitejs
Vitejs launch-editor
Vitejs vite
Vendors & Products Vitejs
Vitejs launch-editor
Vitejs vite

Tue, 02 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-88
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L'}

threat_severity

Important

Mon, 01 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description launch-editor allows users to open files with line numbers in editor from Node.js. Prior to version 2.9.0, due to the insufficient sanitization of the `file` argument in the `launchEditor`, an attacker can execute arbitrary commands on Windows by supplying a filename that contains special characters. This issue has been fixed in the `launch-editor` version 2.9.0, corresponding to vite version 5.4.9.
Title launch-editor vulnerable to command injection via the crafted request on Windows
Weaknesses CWE-77
References
Metrics cvssV4_0

{'score': 7.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Vitejs Launch-editor Vite
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-02T15:24:59.154Z

Reserved: 2024-11-04T17:46:16.779Z

Link: CVE-2024-52011

cve-icon Vulnrichment

Updated: 2026-06-02T15:24:54.167Z

cve-icon NVD

Status : Deferred

Published: 2026-06-01T19:16:18.977

Modified: 2026-06-02T14:04:23.573

Link: CVE-2024-52011

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-01T17:17:43Z

Links: CVE-2024-52011 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T20:53:31Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')

  • CWE-88

    Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')