Overview
Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine. It offers an event-driven, non-blocking I/O model that makes it lightweight and efficient, and is widely used in server-side applications.
An Command Injection vulnerability has been identified in Node.js. The issue stems from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. This weakness allows attackers to inject arbitrary commands and achieve code execution even if the shell option is not enabled.
This vulnerability affects specific versions of the package and can result in total compromise of the system. Details on affected versions and reproduction steps are provided below.
Details
Module Info
Affected packages: Node.js
Affected versions: 4.0 < 18.20.4, 20.0 < 20.15.1, 22.0< 22.4.1
GitHub repository: https://github.com/nodejs/node
Published packages: https://github.com/nodejs/node/releases
Package manager: npm
Fixed in: Node.js NES version 16
Vulnerability Info
The issue stems from improper handling of batch files with all possible extensions on Windows.
For instance, in a scenario where a malicious command line argument is provided, if the shell option is not enabled, the system can execute arbitrary commands. This behavior can be exploited by attackers to achieve code execution.
This vulnerability is a result of flawed logic, and may allow attackers to execute arbitrary code.
- https://www.cve.org/CVERecord?id=CVE-2024-36138
- https://owasp.org/www-community/attacks/Command_Injection
Credits
- tianst
Mitigation
This vulnerability is not fixed upstream due to the release line being EOL. Herodevs has issued patched builds under the NES (Never Ending Support) line.
- Update to a patched LTS version of Node.js
- Leverage a commercial support partner like HeroDevs for post-EOL security.
Refer to the NES Documentation for upgrade instructions.