Advisories for Npm/Launch-Editor package

2026

launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows

The launch-editor NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user’s NTLMv2 password hash to be leaked to an attacker-controlled SMB server. This can result in credential compromise through offline hash cracking.

launch-editor vulnerable to command injection via the crafted request on Windows

Due to the insufficient sanitization of the file argument in the launchEditor, an attacker can execute arbitrary commands on Windows by supplying a filename that contains special characters.