CVE-2024-52011

Description

### Summary Due to the insufficient sanitization of the `file` argument in the `launchEditor`, an attacker can execute arbitrary commands on Windows by supplying a filename that contains special characters. ### Impact If the following conditions are met, an attacker can execute arbitrary commands on the computer that is using the `launch-editor`: - An attacker can place a file with the malicious filename - An attacker can call the `launchEditor` method with the `file` argument controlled - The `launch-editor` package is running on Windows For example, some development server using this package satisfy these conditions, as a malicious website might be able to force the downloading of a file and the path of that file is predictable. ### Patch This issue has been fixed in the `launch-editor` version 2.9.0 ([commit](https://github.com/vitejs/launch-editor/commit/971291e8a6a91226e1616c5c0ec85423d2d50a5e)).

How to fix CVE-2024-52011

To remediate CVE-2024-52011, upgrade the affected package to a fixed version below.

• —upgrade to 2.9.0 or later
• —upgrade to 5.4.9 or later

Is CVE-2024-52011 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• from 0, < 2.9.0
• from 0, < 5.4.9

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-52011
• PATCHgithub.com/vitejs/launch-editor
• WEBgithub.com/vitejs/launch-editor/commit/971291e8a6a91226e1616c5c0ec85423d2d50a5e
• WEBgithub.com/vitejs/launch-editor/security/advisories/GHSA-c27g-q93r-2cwf