CVE-2024-36138

CVSS 8.1 HIGHEPSS 1.1%CWE-77

Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Productos afectados

NodeJS · Node

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://nodejs.org/en/blog/vulnerability/july-2024-security-releases https://security.netapp.com/advisory/ntap-20241108-0010/