CVE-2024-36138

HIGH8.1EPSS 0.26%

Published: 9/7/2024Modified: 12/3/2025

Also known as:ALPINE-CVE-2024-36138

Description

Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.

Affected packages (3)

Alpine/nodejsfrom 0, < 0
Bitnami/nodefrom 0, < 18.20.4, >= 19.0.0, < 20.15.1, >= 21.0.0, < 22.4.1
Bitnami/node-minfrom 0, < 18.20.5, >= 19.0.0, < 20.18.1, >= 21.0.0, < 22.12.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.1	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2024-36138
WEBhttps://nodejs.org/en/blog/vulnerability/july-2024-security-releases
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2024-36138
WEBhttps://security.netapp.com/advisory/ntap-20241108-0010/
WEBhttps://www.oracle.com/security-alerts/cpuoct2024.html