CVE-2024-27980 HIGH

CVE-2024-27980

Vendor Nodejs
Product Node
Published January 9, 2025
Last update April 30, 2025

CVSS base score

8.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.

Key dates

02Disclosure timeline

January 9, 2025 CVE published
April 30, 2025 Record updated