CVE-2024-36138: 
Node.js vulnerability analysis and mitigation

CVE-2024-36138 is a high-severity vulnerability identified as a bypass of an incomplete fix for CVE-2024-27980 (known as the BatBadBut vulnerability). The vulnerability exists in Node.js and arises from improper handling of batch files with all possible extensions on Windows via childprocess.spawn / childprocess.spawnSync. This security flaw affects all active Node.js release lines including 22.x, 20.x, and 18.x (Node.js Blog).

The vulnerability allows malicious command line arguments to inject arbitrary commands and achieve code execution even when the shell option is disabled. The severity of this vulnerability is rated as HIGH with a CVSS v3.0 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). Some sources rate it even higher, with NetApp assigning a CVSS score of 10.0 (CRITICAL) (NetApp Advisory).

The vulnerability affects all Windows users of childprocess.spawn and childprocess.spawnSync in all active Node.js release lines. Successful exploitation could lead to arbitrary code execution, potentially resulting in disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS) (SecurityOnline, NetApp Advisory).

The Node.js project has released security updates to address this vulnerability. Users are strongly recommended to upgrade to the following patched versions: Node.js v18.20.4, Node.js v20.15.1, or Node.js v22.4.1. These updates contain patches for the vulnerability and other security issues (Node.js Blog).