CVE-2024-52011

Summary

launch-editor allows users to open files with line numbers in editor from Node.js. Prior to version 2.9.0, due to the insufficient sanitization of the file argument in the launchEditor, an attacker can execute arbitrary commands on Windows by supplying a filename that contains special characters. This issue has been fixed in the launch-editor version 2.9.0, corresponding to vite version 5.4.9.

Affected Software

VendorProductVersion RangeStatus
vitejslaunch-editor< 2.9.0affected
vitejsvite< 5.4.9affected

Weaknesses

  • CWE-77: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

launch-editor: vite: launch-editor: Arbitrary command execution via insufficient file argument sanitization

Additional References

References