CVE-2024-52011
7.5
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
launch-editor allows users to open files with line numbers in editor from Node.js. Prior to version 2.9.0, due to the insufficient sanitization of the file argument in the launchEditor, an attacker can execute arbitrary commands on Windows by supplying a filename that contains special characters. This issue has been fixed in the launch-editor version 2.9.0, corresponding to vite version 5.4.9.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| vitejs | launch-editor | < 2.9.0 | affected |
| vitejs | vite | < 5.4.9 | affected |
Weaknesses
- CWE-77: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: total
launch-editor: vite: launch-editor: Arbitrary command execution via insufficient file argument sanitization
Additional References
- https://access.redhat.com/security/cve/CVE-2024-52011
- https://bugzilla.redhat.com/show_bug.cgi?id=2483853
- https://security.access.redhat.com/data/csaf/v2/vex/2024/cve-2024-52011.json
- https://access.redhat.com/errata/RHSA-2026:34342
References
- https://github.com/vitejs/launch-editor/security/advisories/GHSA-c27g-q93r-2cwf
- https://github.com/vitejs/launch-editor/commit/971291e8a6a91226e1616c5c0ec85423d2d50a5e
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.