CVE-2024-36138
NONE EPSS 61.5%
Published Sep 7, 20241y ago · Modified Jun 17, 20262w ago
Published Sep 7, 2024 1y ago
Last Modified Jun 17, 2026 2w ago
Description
Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.
Threat Intelligence
EPSS Exploit Probability
61.5% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available
Weaknesses 1
CWE-77 Command Injection Injection
References 2
- nodejs.org https://nodejs.org/en/blog/vulnerability/july-2024-security-releases
- security.netapp.com https://security.netapp.com/advisory/ntap-20241108-0010/
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.