CVE-2024-36138

Name
CVE-2024-36138
Description
Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.
NVD Severity
high
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
https://nodejs.org/en/blog/vulnerability/july-2024-security-releases

Match rules

CPE URI Source package Min version Max version
node >= 0 <= 18.20.3
node >= 0 <= 20.15.0
node >= 0 <= 22.4.0
cpe:2.3:a:nodejs:nodejs:*:*:*:*:*:*:*:* nodejs >= 18.0 < 18.20.4
cpe:2.3:a:nodejs:nodejs:*:*:*:*:*:*:*:* nodejs >= 20.0 < 20.15.1
cpe:2.3:a:nodejs:nodejs:*:*:*:*:*:*:*:* nodejs >= 22.0 < 22.4.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
nodejs 3.18-main 18.20.1-r0 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
nodejs 3.17-main 18.20.1-r0 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable