Node.js project disclosed a high-severity vulnerability affecting multiple active release lines of its software on Windows platforms.
This flaw, identified as CVE-2024-27980, allows attackers to execute arbitrary commands on affected systems, posing a serious risk to applications and services built on Node.js.
Node.js Flaw Lets Attackers Execute Malicious Code
The core of the vulnerability lies within the child_process.spawn
and child_process.spawnSync
functions of Node.js when used on Windows operating systems. These functions are commonly utilized to spawn child processes from Node.js applications.
The flaw was discovered in the handling of batch files and command-line arguments passed to these functions.
Specifically, it was found that a maliciously crafted command-line argument could lead to command injection and arbitrary code execution, even if the shell
option is not enabled in the function call.
This vulnerability is particularly alarming because it bypasses the safety mechanism provided by disabling the shell
option, which is often recommended as a security best practice.
The impact is widespread, affecting all users of the 18.x, 20.x, and 21.x release lines of Node.js on Windows.
The Node.js project has acted swiftly in response to the discovery of CVE-2024-27980. Security updates to mitigate the issue have been released for the affected versions: 18.x, 20.x, and 21.x.
These updates are available as of Tuesday, April 9, 2024, and users are strongly urged to upgrade their Node.js installations immediately to protect their applications and infrastructure from potential exploitation.
Security researcher Ryotak was credited with discovering this vulnerability, and Ben Noordhuis implemented the fix. The Node.js project has expressed gratitude to the community members for their contributions to maintaining the platform’s security and integrity.
Recommendations for Node.js Users
In light of this critical vulnerability, Node.js users, especially those running applications on Windows, are advised to:
- Update Immediately: Upgrade to the latest patched versions of Node.js (18.x, 20.x, 21.x) to mitigate the risk posed by CVE-2024-27980.
- Review Security Practices: Re-evaluate the use of child processes within Node.js applications, especially in relation to handling external input and command-line arguments.
- Stay Informed: Subscribe to the nodejs-sec mailing list and regularly check the official Node.js security page for updates on vulnerabilities and security releases.
Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.