CVE-2024-36138

CVSS 8.1 HIGHEPSS 1.1%CWE-77

Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Produtos afetados

NodeJS · Node

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://nodejs.org/en/blog/vulnerability/july-2024-security-releases https://security.netapp.com/advisory/ntap-20241108-0010/