CVE-2024-27980: 
Node.js vulnerability analysis and mitigation

A command injection vulnerability (CVE-2024-27980) was discovered in Node.js affecting all active release lines (18.x, 20.x, 21.x). The vulnerability stems from improper handling of batch files in childprocess.spawn and childprocess.spawnSync functions, specifically on Windows systems. The vulnerability was discovered and initially disclosed on April 10, 2024 (NodeJS Blog).

The vulnerability allows a malicious command line argument to inject arbitrary commands and achieve code execution even when the shell option is not enabled. This occurs due to improper handling of batch files (.bat and .cmd) in childprocess.spawn and childprocess.spawnSync functions. The vulnerability has been assigned a CVSS v3.0 Base Score of 8.1 (HIGH) with the vector string CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability affects all Windows users across Node.js active release lines 18.x, 20.x, and 21.x. When exploited, it allows attackers to execute arbitrary commands on the system, potentially leading to complete system compromise (NodeJS Blog).

Node.js has implemented a fix by disallowing direct .bat and .cmd file spawning. The fix was released in version 18.20.2 and corresponding versions in other release lines. For users who need to execute batch files, they must now explicitly set { shell: true } as an option. While it's possible to use --security-revert=CVE-2024-27980 to revert the security patch, this is strongly discouraged (NodeJS Blog).