CVE-2024-36138

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions: Node.js versions up to 18.20.3 Node.js versions up to 20.15.0 Node.js versions up to 22.4.0

Description: The issue arises from improper handling of batch files with all possible extensions on Windows via child process.spawn / child process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled. This allows a remote attacker to execute arbitrary commands.

Recommendations: For Node.js versions up to 18.20.3, update to a version higher than 18.20.3 to resolve the issue. For Node.js versions up to 20.15.0, update to a version higher than 20.15.0 to resolve the issue. For Node.js versions up to 22.4.0, update to a version higher than 22.4.0 to resolve the issue. As a temporary workaround, consider disabling the use of child process.spawn and child process.spawnSync functions until a patch is available.

Fix

RCE

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-77

Related Identifiers

BDU:2024-05133

BIT-NODE-2024-36138

BIT-NODE-MIN-2024-36138

CLEANSTART-2026-BD71263

CLEANSTART-2026-IS74202

CLEANSTART-2026-JR35772

CLEANSTART-2026-JY06700

CLEANSTART-2026-KN34553

CLEANSTART-2026-KZ45320

CLEANSTART-2026-LJ44720

CLEANSTART-2026-LN12820

CLEANSTART-2026-TX00223

CLEANSTART-2026-WI75198

CVE-2024-36138

MGASA-2024-0282

OPENSUSE-SU-2024:14435-1

OPENSUSE-SU-2024_2542-1

OPENSUSE-SU-2025:15802-1

SUSE-SU-2024:2496-1

SUSE-SU-2024:2542-1

SUSE-SU-2024:2543-1

SUSE-SU-2024:2574-1

Affected Products

Node.Js

Suse

CVE-2024-36138

Weakness Enumeration

Related Identifiers

Affected Products

References · 215