Arbitrary Command Injection Vulnerability in Child Process Functions of Software
CVE-2024-27980

Currently unrated

Key Information:

Vendor

Node.js

Status
Node.js
Vendor
CVE Published:
9 January 2025

Badges

๐Ÿ“ฐ News Worthy

What is CVE-2024-27980?

This vulnerability arises from improper handling of batch files in the child_process.spawn and child_process.spawnSync functions. A malicious actor can manipulate command line arguments to inject arbitrary commands, leading to unintended code execution. This can occur even when the shell option is disabled, potentially allowing for unauthorized actions on the affected system. Organizations utilizing this software are advised to review their security measures and apply patches as soon as available to mitigate risks associated with this vulnerability.

Affected Version(s)

Node.js 21.7.0

Node.js 20.11.1

Node.js 18.19.1

News Articles

favicon image๋ณด์•ˆ๋‰ด์Šค

Node.js์—์„œ ์ž„์˜ ์ฝ”๋“œ ์‹คํ–‰ ์ทจ์•ฝ์  ๋ฐœ๊ฒฌ

Node.js์—์„œ ์ž„์˜ ์ฝ”๋“œ ์‹คํ–‰ ์ทจ์•ฝ์ ์ด ๋ฐœ๊ฒฌ๋ผ ์ด์šฉ์ž๋“ค์˜ ๊ฐ๋ณ„ํ•œ ์ฃผ์˜๊ฐ€ ์š”๊ตฌ๋œ๋‹ค. ์ด์™€ ๊ด€๋ จ ํ•œ๊ตญ์ธํ„ฐ๋„ท์ง„ํฅ์›์€ 10์ผ ์ทจ์•ฝ์  ์ฃผ์˜๋ฅผ ๋‹น๋ถ€ํ•˜๋ฉฐ ๋ณด์•ˆ ๊ณต์ง€ํ–ˆ๊ณ , Open JS ์žฌ๋‹จ์€ Node.js์—์„œ ๋ฐœ์ƒํ•˜๋Š” ์ทจ์•ฝ์ ์„ ํ•ด๊ฒฐํ•œ ๋ณด์•ˆ ์—…๋ฐ์ดํŠธ๋ฅผ ๋ฐœํ‘œํ–ˆ๋‹ค.

favicon imageecmascript.uk

Node.js โ€” Monday, July 8, 2024 Security Releases

Node.jsยฎ is a JavaScript runtime built on Chrome's V8 JavaScript engine.

favicon imageNode.js

Node.js โ€” Monday, July 8, 2024 Security Releases

Node.jsยฎ is a JavaScript runtime built on Chrome's V8 JavaScript engine.

References

http://www.openwall.com/lists/oss-security/2024/04/10/15
http://www.openwall.com/lists/oss-security/2024/07/11/6
http://www.openwall.com/lists/oss-security/2024/07/19/3

Timeline

  • Vulnerability published

  • ๐Ÿ“ฐ

    First article discovered by Node.js

  • Vulnerability Reserved

.