CVE-2024-36138

Description

Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.

How to fix CVE-2024-36138

To remediate CVE-2024-36138, upgrade the affected package to a fixed version below.

Alpine/nodejs—upgrade to 0 or later
—upgrade to 18.20.4 or later
—upgrade to 18.20.5 or later

Is CVE-2024-36138 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 0
from 0, < 18.20.4, >= 19.0.0, < 20.15.1, >= 21.0.0, < 22.4.1
from 0, < 18.20.5, >= 19.0.0, < 20.18.1, >= 21.0.0, < 22.12.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.1	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2024-36138
WEBnodejs.org/en/blog/vulnerability/july-2024-security-releases
WEBnvd.nist.gov/vuln/detail/CVE-2024-36138
WEBsecurity.netapp.com/advisory/ntap-20241108-0010/
WEB