CVE-2024-27980

Command Injection
Affects
Node
4.0 <= 18.20.2, 20 < 20.12.2
in
Node.js
Node.js NES
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

Overview

Node is a JavaScript runtime built on Chrome's V8 JavaScript engine. It offers an event-driven, non-blocking I/O model that makes it lightweight and efficient, and is widely used in server-side applications.

A Command Injection vulnerability has been identified in Node on Windows. The issue stems from improper handling of batch files in child_process.spawn / child_process.spawnSync. This weakness allows attackers to inject arbitrary commands and achieve code execution even if the shell option is not enabled.

This vulnerability affects specific versions of the package and can result in total compromise of the system. Details on affected versions and reproduction steps are provided below.

Details

Module Info


Affected packages: Node

Affected versions: 4.0 <= 18.20.2, 20 < 20.12.2

GitHub repository: https://github.com/nodejs/node

Published packages: https://github.com/nodejs/node/releases

Package manager: npm

Fixed in: NES version v12, v14, v16

Vulnerability Info

The issue stems from improper handling of batch files in child_process.spawn / child_process.spawnSync.

For instance, in a typical deployment, if a malicious command line argument is passed, the system can execute arbitrary commands. This behavior can be exploited by attackers to gain unauthorized access or execute arbitrary code.

This vulnerability is a result of flawed logic, and may allow attackers to execute arbitrary commands on the server.


- https://www.cve.org/CVERecord?id=CVE-2024-27980

- https://owasp.org/www-community/attacks/Command_Injection

Credits


- ryotak

Mitigation

This vulnerability is not fixed upstream due to the release line being EOL. Herodevs has issued patched builds under the NES (Never Ending Support) line.


- Update to a Node.js LTS version

- Leverage a commercial support partner like HeroDevs for post-EOL security.

Refer to the NES documentation for upgrade instructions.

Vulnerability Details
ID
CVE-2024-27980
PROJECT Affected
Node
Versions Affected
4.0 <= 18.20.2, 20 < 20.12.2
Published date
January 9, 2025
≈ Fix date
January 9, 2025
Fixed in
Severity
High
Category
Command Injection
Sign up for the latest vulnerability alerts fixed in
Node.js NES
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.