CVE-2024-36138 HIGH

CVE-2024-36138

Vendor Nodejs
Product Node
Published September 7, 2024
Last update April 30, 2025

CVSS base score

8.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.

Key dates

02Disclosure timeline

September 7, 2024 CVE published
April 30, 2025 Record updated