Security Update for Node.js on Windows Systems: CVE-2024-27980

Bar Refael

April 11, 2024

The Node.js team has urgently released a security patch for a critical vulnerability identified as CVE-2024-27980, which affects Windows-based Node.js applications. This vulnerability poses a severe threat due to its potential to allow an attacker to execute arbitrary commands remotely.

Vulnerability Overview

  • Affected Feature: The flaw arises within Node.js functions child_process.spawn and child_process.spawnSync, which are used to execute system commands.
  • Specific Target: The security issue specifically pertains to the handling of .bat files. Even when the execution is supposed to be secure, with the ‘shell’ option disabled, an attacker can manipulate command-line arguments to insert malicious code.
  • Risk: The vulnerability leads to remote code execution (RCE), enabling attackers to perform various malicious activities, such as installing malware, exfiltrating sensitive information, or causing disruptions in service.

Implications

  • Windows Node.js Installations: The vulnerability exclusively affects Node.js running on the Windows platform.
  • Version Impact: All currently supported Node.js versions, including the 18.x, 20.x, and 21.x release lines, are impacted.

Mitigation and Patching

  • Urgency to Update: Given the ‘High’ severity rating and the ease with which the vulnerability can be exploited, it is critical to apply the security update immediately.
  • Patching: The Node.js team has provided updates for all affected versions. Users should upgrade their Node.js installations on Windows to the patched releases as soon as possible.
  • Developer Action: For those who develop using Node.js and rely on the impacted functions, a thorough review of the code is advised. Developers should ensure that their code does not allow for injection of command-line arguments. Where necessary, implement additional input validation or sanitization steps to strengthen security.

Stay Secure. Stay Informed.

OP Innovate Research Team.

Under Cyber Attack?

Fill out the form and we will contact you immediately.

Get OP Innovate CTI Alerts

Leave your email and get critical updates and alerts straight to your inbox