Node.js flaw on Windows exposes risk of arbitrary code execution on the system
Take action: If you are running Node.js 18.x, 20.x, 21.x release lines on Windows, time to update. Review your code and use cases, but be mindful that it's always better to plan a patch then to wait for your use case to change and expose the vulnerability - and then panic.
Learn More
The Node.js project reports a critical severity vulnerability, tracked as CVE-2024-27980 (CVSS score 9.8), which affects 18.x, 20.x, 21.x release lines of Node.js software on Windows platforms.
The flaw centers around the `child_process.spawn` and `child_process.spawnSync` functions in Node.js, when deployed on Windows systems. Due to the vulnerability, these functions could be manipulated through specially crafted command-line arguments to execute arbitrary commands on the system, enabling command injection and arbitrary code execution, even when the `shell` option is disabled.
The Node.js project team has released security updates for the impacted versions on April 9, 2024. Node.js users, urged to update their installations to the newly released versions. Additionally, users should reevaluate the security practices surrounding the use of child processes within their Node.js applications concerning the handling of external inputs and command-line arguments.
