The Node.js project has announced security updates for its 18.x, 20.x, and 21.x release lines to address a critical vulnerability. This vulnerability, identified as CVE-2024-27980, is a high-severity issue related to command injection. It occurs when using the child_process.spawn or child_process.spawnSync functions without the shell option enabled on Windows. This allows an attacker to execute arbitrary commands, posing a significant security risk.

This update is a response to the discovery of the vulnerability by RyotaK, with Ben Noordhuis credited for the fix.

https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2

#cybersecurity #nodejs #vulnerability #update #cve #RyotaK #bnoordhuis