CVE-2024-36138 — Vulnetix

Try Vulnetix Request Demo

CVE-2024-36138 PUBLISHED CVSS 9.300000190734863 CRITICAL

Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.

EPSS 0.26% · 49.3th percentile

Risk Scores

CVSS v4.0

9.300000190734863

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS Score

0.26%

49.3th percentile

Affected Products

Vendor	Product	Versions
Bitnami	node	0, 19.0.0, 21.0.0
Bitnami	node-min	0, 19.0.0, 21.0.0
Bitnami	node-min	21.0.0, 21.0.0, 0
Bitnami	node	19.0.0, 21.0.0, 0

Timeline

CVE Published
Jul 9, 2024 PoC Published
Sep 8, 2024 EPSS Score
Sep 27, 2024 EPSS Score
Oct 4, 2024 Coalition ESS Score
Nov 5, 2024 EPSS Score
Nov 25, 2024 EPSS Score
Dec 15, 2024 EPSS Score
Jan 23, 2025 EPSS Score
Feb 3, 2025 Coalition ESS Score
Feb 11, 2025 EPSS Score
Mar 2, 2025 EPSS Score

References

Open in Interactive Console →