Tianst

Name of the Vulnerable Software and Affected Versions: Node.js versions up to 18.20.3 Node.js versions up to 20.15.0 Node.js versions up to 22.4.0 Description: The issue arises from improper handling of batch files with all possible extensions on Windows via `child process.spawn` / `child process.spawnSync`. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled. This allows a remote attacker to execute arbitrary commands. Recommendations: For Node.js versions up to 18.20.3, update to a version higher than 18.20.3 to resolve the issue. For Node.js versions up to 20.15.0, update to a version higher than 20.15.0 to resolve the issue. For Node.js versions up to 22.4.0, update to a version higher than 22.4.0 to resolve the issue. As a temporary workaround, consider disabling the use of `child process.spawn` and `child process.spawnSync` functions until a patch is available.

Name of the Vulnerable Software and Affected Versions: Node.js versions 18.x, 20.x, and 21.x Description: The issue is related to the improper handling of batch files in `child process.spawn` and `child process.spawnSync` on Windows platforms. This allows a malicious command line argument to inject arbitrary commands and achieve code execution, even if the shell option is not enabled. The estimated number of potentially affected devices is not specified. There is no information about real-world incidents where this issue was exploited. Recommendations: For Node.js versions 18.x, 20.x, and 21.x, update to a version that includes the fix for this issue. As a temporary workaround, consider disabling the `child process.spawn` function until a patch is available. Restrict access to the `child process.spawnSync` function to minimize the risk of exploitation. Avoid using the `args` parameter in the affected `child process.spawn` function until the issue is resolved.