CVE-2024-36138

NONE EPSS 61.5%
Published Sep 7, 20241y ago · Modified Jun 17, 20262w ago
Find Similar
Published Sep 7, 2024 1y ago
Last Modified Jun 17, 2026 2w ago

Description

Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.

Threat Intelligence

EPSS Exploit Probability
61.5% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-77 Command Injection Injection

References 2

  • nodejs.org https://nodejs.org/en/blog/vulnerability/july-2024-security-releases
  • security.netapp.com https://security.netapp.com/advisory/ntap-20241108-0010/

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.