CVE-2024-52011: launch-editor vulnerable to command injection via the crafted request on Windows
Due to the insufficient sanitization of the file argument in the launchEditor, an attacker can execute arbitrary commands on Windows by supplying a filename that contains special characters.
References
- github.com/advisories/GHSA-c27g-q93r-2cwf
- github.com/vitejs/launch-editor/commit/971291e8a6a91226e1616c5c0ec85423d2d50a5e
- github.com/vitejs/launch-editor/security/advisories/GHSA-c27g-q93r-2cwf
- github.com/yyx990803/launch-editor/security/advisories/GHSA-c27g-q93r-2cwf
- nvd.nist.gov/vuln/detail/CVE-2024-52011
Code Behaviors & Features
Detect and mitigate CVE-2024-52011 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →