Описание
Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.
A command injection flaw was found in Node.js exclusive to Windows environments. This flaw allows an attacker to perform command injection via the args parameter of child_process.spawn without the shell option enabled on Windows. This behavior is caused by cmd.exe when executing batch files, which has complicated parsing rules for arguments that were not able to be safely escaped. It is possible to inject commands if an attacker can control part of the command arguments of the batch file.
Отчет
This vulnerability exclusively applies to applications running on Windows.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 8 | nodejs:16/nodejs | Not affected | ||
| Red Hat Enterprise Linux 8 | nodejs:18/nodejs | Not affected | ||
| Red Hat Enterprise Linux 8 | nodejs:20/nodejs | Not affected | ||
| Red Hat Enterprise Linux 9 | nodejs | Not affected | ||
| Red Hat Enterprise Linux 9 | nodejs:18/nodejs | Not affected | ||
| Red Hat Enterprise Linux 9 | nodejs:20/nodejs | Not affected |
Показывать по
Дополнительная информация
EPSS
Связанные уязвимости
Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.
Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.
Due to the improper handling of batch files in child_process.spawn / c ...
Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.
Уязвимость функций child_process.spawn() и child_process.spawnSync() программной платформы Node.js операционных систем Windows, позволяющая нарушителю обойти ограничения безопасности и выполнить произвольные команды
EPSS