{"id":"CVE-2024-36138","details":"Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.","aliases":["BIT-node-2024-36138","BIT-node-min-2024-36138"],"modified":"2026-04-16T04:35:31.123162648Z","published":"2024-09-07T16:15:02Z","related":["CGA-9m92-4r7q-86j5","SUSE-SU-2024:2496-1","SUSE-SU-2024:2542-1","SUSE-SU-2024:2543-1","SUSE-SU-2024:2574-1","openSUSE-SU-2024:14435-1","openSUSE-SU-2025:15802-1"],"references":[{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20241108-0010/"},{"type":"ARTICLE","url":"https://nodejs.org/en/blog/vulnerability/july-2024-security-releases"}],"schema_version":"1.7.5"}