VDB
BIT-node-2024-27980
BIT-node-2024-27980
PUBLISHED
CVSS 8.100000381469727 HIGH
Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.
Risk Scores
CVSS 3.0
8.100000381469727
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitnami | node | 0, 19.0.0, 21.0.0 |
Exploit Intelligence
- npm-command.mjs (github-poc)
- npm-shim.js (github-poc)
- resolve-analyze-cmd.cjs (github-poc)
- lib.rs (github-poc)
- exec.ts (github-poc)
- shell.rs (github-poc)
- node_revert.h (github-poc)
- claude_version_utils.cjs (github-poc)
- pwa-icons.test.cjs (github-poc)
- pwa-cache-version.test.cjs (github-poc)
…and 90 more exploits
Timeline
- Jan 10, 2025 CVE Published
- Apr 3, 2025 CVE Updated
References
- http://www.openwall.com/lists/oss-security/2024/04/10/15 url
- http://www.openwall.com/lists/oss-security/2024/07/11/6 url
- http://www.openwall.com/lists/oss-security/2024/07/19/3 url
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5MZN6PFXHTCCUENAKZXTGWPKUAHI6E2W/ url
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JUWBYDVCUSCX7YWTBX75LADMCVYFBGKU/ url
- https://nvd.nist.gov/vuln/detail/CVE-2024-27980 url