High severity8.1NVD Advisory· Published Jan 9, 2025· Updated Apr 15, 2026
CVE-2024-27980
CVE-2024-27980
Description
Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
27- osv-coords27 versionspkg:apk/chainguard/nodejs-16pkg:apk/chainguard/nodejs-16-docpkg:apk/chainguard/nodejs-18pkg:apk/chainguard/nodejs-18-docpkg:apk/chainguard/nodejs-20pkg:apk/chainguard/nodejs-20-docpkg:apk/chainguard/nodejs-21pkg:apk/chainguard/nodejs-21-docpkg:apk/wolfi/nodejs-16pkg:apk/wolfi/nodejs-16-docpkg:apk/wolfi/nodejs-18pkg:apk/wolfi/nodejs-18-docpkg:apk/wolfi/nodejs-20pkg:apk/wolfi/nodejs-20-docpkg:apk/wolfi/nodejs-21pkg:apk/wolfi/nodejs-21-docpkg:bitnami/nodepkg:bitnami/node-minpkg:rpm/opensuse/nodejs18&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/nodejs20&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/nodejs20&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/nodejs20&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/nodejs21&distro=openSUSE%20Tumbleweedpkg:rpm/suse/nodejs18&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/nodejs18&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP5pkg:rpm/suse/nodejs20&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP5pkg:rpm/suse/nodejs20&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP6
< 16.20.2-r16+ 26 more
- (no CPE)range: < 16.20.2-r16
- (no CPE)range: < 16.20.2-r16
- (no CPE)range: < 18.20.2-r0
- (no CPE)range: < 18.20.2-r0
- (no CPE)range: < 20.12.2-r0
- (no CPE)range: < 20.12.2-r0
- (no CPE)range: < 21.7.3-r0
- (no CPE)range: < 21.7.3-r0
- (no CPE)range: < 16.20.2-r16
- (no CPE)range: < 16.20.2-r16
- (no CPE)range: < 18.20.2-r0
- (no CPE)range: < 18.20.2-r0
- (no CPE)range: < 20.12.2-r0
- (no CPE)range: < 20.12.2-r0
- (no CPE)range: < 21.7.3-r0
- (no CPE)range: < 21.7.3-r0
- (no CPE)range: < 18.20.2
- (no CPE)range: < 18.20.2
- (no CPE)range: < 18.20.4-150400.9.24.2
- (no CPE)range: < 20.15.1-150500.11.12.2
- (no CPE)range: < 20.15.1-150600.3.3.2
- (no CPE)range: < 20.15.1-1.1
- (no CPE)range: < 21.7.3-1.1
- (no CPE)range: < 18.20.4-8.24.1
- (no CPE)range: < 18.20.4-150400.9.24.2
- (no CPE)range: < 20.15.1-150500.11.12.2
- (no CPE)range: < 20.15.1-150600.3.3.2
Patches
Vulnerability mechanics
References
5- www.openwall.com/lists/oss-security/2024/04/10/15nvd
- www.openwall.com/lists/oss-security/2024/07/11/6nvd
- www.openwall.com/lists/oss-security/2024/07/19/3nvd
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5MZN6PFXHTCCUENAKZXTGWPKUAHI6E2W/nvd
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JUWBYDVCUSCX7YWTBX75LADMCVYFBGKU/nvd
News mentions
0No linked articles in our index yet.