The Node.js project has announced security updates for its 18.x, 20.x, and 21.x release lines to address a critical vulnerability. This vulnerability, identified as CVE-2024-27980, is a high-severity issue related to command injection. It occurs when using the child_process.spawn or child_process.spawnSync functions without the shell option enabled on Windows. This allows an attacker to execute arbitrary commands, posing a significant security risk.

This update is a response to the discovery of the vulnerability by RyotaK, with Ben Noordhuis credited for the fix.

https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2

#cybersecurity #nodejs #vulnerability #update #cve #RyotaK #bnoordhuis

A critical vulnerability, named BatBadBut, was discovered in the Rust programming language, affecting not just Rust but also Erlang, Go, Python, Ruby, and potentially others. This vulnerability, with a severity score of 10/10, could allow attackers to execute arbitrary commands on Windows systems by exploiting how Rust handles batch files. The issue arises from Rust's standard library improperly escaping arguments when invoking batch files on Windows, leading to potential command injection. The vulnerability has been addressed with a fix in Rust version 1.77.2, which developers are urged to update to. Other programming languages and systems, including Node.js, PHP, and Java, are also affected and are working on patches.

https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/

https://blog.rust-lang.org/2024/04/09/cve-2024-24576.html

#cybersecurity #rust #batbadbut #vulnerability #erlang #go #python #ruby #nodejs #php #java #windows #commandinjection #RyotaK #Grub4K #flattsecurity