oss-security - NodeJS Command injection via args parameter of child_process.spawn without shell option enabled on Windows (CVE-2024-27980)

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Date: Wed, 10 Apr 2024 13:36:20 -0400
From: Jan Schaumann <jschauma@...meister.org>
To: oss-security@...ts.openwall.com
Subject: NodeJS Command injection via args parameter of child_process.spawn
 without shell option enabled on Windows (CVE-2024-27980)

Rafael Gonzaga <work@...aelgss.dev> wrote:

> The planned security releases are now available. You can read more about 
> the details at 
> https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2

Trimmed 'links -dump' output:

   Wednesday, April 10, 2024 Security Releases

Security releases available

   Updates are now available for the 18.x, 20.x, 21.x Node.js release lines
   for the following issues.

Command injection via args parameter of child_process.spawn without shell option
enabled on Windows (CVE-2024-27980) - (HIGH)

   Due to the improper handling of batch files in child_process.spawn /
   child_process.spawnSync, a malicious command line argument can inject
   arbitrary commands and achieve code execution even if the shell option is
   not enabled.

   Impact:

     * This vulnerability affects all users in active release lines: 18.x,
       20.x, 21.x

   Thank you, to ryotak for reporting this vulnerability and thank you Ben
   Noordhuis for fixing it.

---

Sending these details could be automated from a simple
procmail filter, if desired.

-Jan

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.