High severity8.1NVD Advisory· Published Sep 7, 2024· Updated Apr 15, 2026
CVE-2024-36138
CVE-2024-36138
Description
Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
29- osv-coords28 versionspkg:apk/chainguard/nodejs-16pkg:apk/chainguard/nodejs-16-docpkg:apk/chainguard/nodejs-21pkg:apk/chainguard/nodejs-21-docpkg:apk/wolfi/nodejs-16pkg:apk/wolfi/nodejs-16-docpkg:apk/wolfi/nodejs-21pkg:apk/wolfi/nodejs-21-docpkg:bitnami/nodepkg:bitnami/node-minpkg:deb/ubuntu/nodejs@0.10.25~dfsg2-2ubuntu1.2+esm2?arch=source&distro=esm-infra-legacy/trustypkg:deb/ubuntu/nodejs@10.19.0~dfsg-3ubuntu1.6?arch=source&distro=focalpkg:deb/ubuntu/nodejs@12.22.9~dfsg-1ubuntu3.6?arch=source&distro=jammypkg:deb/ubuntu/nodejs@18.19.1+dfsg-6ubuntu5?arch=source&distro=noblepkg:deb/ubuntu/nodejs@20.16.0+dfsg-1ubuntu1?arch=source&distro=oracularpkg:deb/ubuntu/nodejs@20.18.1+dfsg-1ubuntu2?arch=source&distro=pluckypkg:deb/ubuntu/nodejs@4.2.6~dfsg-1ubuntu4.2+esm3?arch=source&distro=esm-apps/xenialpkg:deb/ubuntu/nodejs@8.10.0~dfsg-2ubuntu0.4+esm6?arch=source&distro=esm-apps/bionicpkg:rpm/opensuse/nodejs18&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/nodejs20&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/nodejs20&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/nodejs22&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/nodejs24&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/nodejs26&distro=openSUSE%20Tumbleweedpkg:rpm/suse/nodejs18&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/nodejs18&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP5pkg:rpm/suse/nodejs20&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP5pkg:rpm/suse/nodejs20&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP6
< 16.20.2-r16+ 27 more
- (no CPE)range: < 16.20.2-r16
- (no CPE)range: < 16.20.2-r16
- (no CPE)range: < 21.7.3-r13
- (no CPE)range: < 21.7.3-r13
- (no CPE)range: < 16.20.2-r16
- (no CPE)range: < 16.20.2-r16
- (no CPE)range: < 21.7.3-r13
- (no CPE)range: < 21.7.3-r13
- (no CPE)range: < 18.20.4
- (no CPE)range: < 18.20.5
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: < 18.20.4-150400.9.24.2
- (no CPE)range: < 20.15.1-150500.11.12.2
- (no CPE)range: < 20.15.1-150600.3.3.2
- (no CPE)range: < 22.10.0-1.1
- (no CPE)range: < 24.11.1-2.1
- (no CPE)range: < 26.3.1-1.1
- (no CPE)range: < 18.20.4-8.24.1
- (no CPE)range: < 18.20.4-150400.9.24.2
- (no CPE)range: < 20.15.1-150500.11.12.2
- (no CPE)range: < 20.15.1-150600.3.3.2
Patches
Vulnerability mechanics
References
2News mentions
0No linked articles in our index yet.