Primary

Context

Node.js Command Injection Vulnerability in Child Process Module on Windows

Vulnerability

Patched

A command injection vulnerability has been identified in Node.js versions 18.x, 20.x, and 21.x. The issue arises from improper handling of batch files in the child_process.spawn and child_process.spawnSync methods. A malicious command line argument can inject arbitrary commands and execute them, even when the shell option is disabled. This vulnerability affects all users on Windows in the active release lines.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the affected system.

Remediation

Users can upgrade to Node.js versions 18.20.2, 20.15.1, or 22.4.1, all of which include the necessary fix. Instructions for updating can be found in the Node.js release blog or through the Fedora package management system.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

10.0

exploitability

3.3

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

10.0

exploitability

3.3

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Node.js Command Injection Vulnerability in Child Process Module on Windows

Vulnerability

Impact

Remediation

Affected Products

Node.js

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating