HIGH · CVSS 8.4
CVE-2024-27980 — Node.js Windows command injection via child_process
On Windows, Node.js's child_process.spawn with shell:false still invoked cmd.exe for .bat and .cmd files, allowing argument-injection attacks.
Affects
- Node.js on Windows: 18 < 18.19.1 / 20 < 20.11.1 / 21 < 21.6.2
What an attacker does
An attacker submits user input that gets passed as args to a Node.js child_process call executing a .bat file. Windows cmd.exe interpreted the input, allowing additional commands to be chained.
How to detect
`node --version` on Windows deployments.
How to fix
Upgrade Node.js. Additionally: never call .bat or .cmd from user input on Windows.
How Securie catches it
Securie flags vulnerable Node versions + audits child_process call-sites for Windows deployments.