cve/2024/CVE-2024-36138.md

CVE-2024-36138

Description

Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.

POC

Reference

No PoCs from references.

Github

• https://github.com/fkie-cad/nvd-json-data-feeds
• https://github.com/tanjiti/sec_profile
• https://github.com/tianstcht/tianstcht