Vulnerability CVE-2024-36138
Published: 2024-09-07

Description:
Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.

 References:
https://nodejs.org/en/blog/vulnerability/july-2024-security-releases
Copyright 2026, cxsecurity.com

 

Back to Top