IRONSMITHINTEL
HIGHCVSS7.4
|CVE-2024-27980|Auth: low — depends on application design|Reboot: not required|Est. 15 minutes (application restart only)|Manual only

Node.js < 21.7.3 — RCE

Node.js on Windows fails to escape arguments properly when spawning child processes via cmd.exe, allowing command injection. Update to Node.js 21.7.3 / 20.12.2 / 18.20.2 immediately — this affects any Windows Node.js application that spawns child processes with user-supplied input.

Published Apr 10, 2024 · Updated May 10, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

Depending on the Node.js application's design, an attacker may be able to inject arbitrary Windows commands that execute with the privileges of the Node.js process. In server-side applications that process user input and pass it to child processes, this can lead to full system compromise.

How the attack works

On Windows, Node.js uses cmd.exe to spawn child processes when no explicit shell is specified. Node.js fails to properly escape arguments containing special characters that cmd.exe interprets (such as &, |, ^, >, <). An application that passes user-controlled input to child_process.exec() or similar functions can be exploited for command injection.

Am I affected?Quick check

Probably yes if any of these apply:

Node.js Application Teams
DevOps Teams
Server Administrators
Running Node.js 21 prior to 21.7.3, Node.js 20 prior to 20.12.2, Node.js 18 prior to 18.20.2 — Windows only

Affected OS versions

Windows Server 2016Windows Server 2019Windows Server 2022
Fixed inNode.js 21.7.3 / 20.12.2 / 18.20.2
Real-world incidentsWhat we've seen

A Node.js build automation server on Windows accepts repository names as input and uses child_process to run git clone commands. An attacker submits a repository name containing & cmd /c whoami > result.txt &, which executes as an additional command due to the Windows argument escaping bug. The update fixes the escaping logic in the child_process Windows code path.

How to patch

Manual remediation steps

15 minutes (application restart only)

Check Node.js Version

node --version
# Vulnerable if older than v18.20.2 / v20.12.2 / v21.7.3

Update Node.js

# Via winget:
winget upgrade OpenJS.NodeJS.LTS

# Or via nvm-windows (if used):
nvm install 20.12.2
nvm use 20.12.2

# Or download the installer from https://nodejs.org/en/download/

Verify

node --version
# Must show v18.20.2 / v20.12.2 / v21.7.3 or later

Also Review Application Code

// Avoid: passing user input directly to shell commands
const { exec } = require('child_process')
exec(`git clone ${userInput}`, callback) // DANGEROUS

// Prefer: use execFile with explicit argument arrays
const { execFile } = require('child_process')
execFile('git', ['clone', userInput], callback) // SAFER
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2024-27980NVD