The CVE-2024-27980 was identified as an incomplete fix for the BatBadBut vulnerability. This vulnerability arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn
/ child_process.spawnSync
. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.
This vulnerability affects all users of child_process.spawn
and child_process.spawnSync
on Windows in all active release lines.