Node.js launch-editor cmd injection via unsanitized file args v<2.9.0
CVE-2024-52011 Published on June 1, 2026

launch-editor vulnerable to command injection via the crafted request on Windows
launch-editor allows users to open files with line numbers in editor from Node.js. Prior to version 2.9.0, due to the insufficient sanitization of the `file` argument in the `launchEditor`, an attacker can execute arbitrary commands on Windows by supplying a filename that contains special characters. This issue has been fixed in the `launch-editor` version 2.9.0, corresponding to vite version 5.4.9.

NVD

Vulnerability Analysis

CVE-2024-52011 can be exploited with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and a small impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
LOW

Weakness Types

What is a Command Injection Vulnerability?

The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

CVE-2024-52011 has been classified to as a Command Injection vulnerability or weakness.

What is an Argument Injection Vulnerability?

The software constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

CVE-2024-52011 has been classified to as an Argument Injection vulnerability or weakness.


Products Associated with CVE-2024-52011

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-52011 are published in these products:

Vitejs Vite
 
Red Hat Cryostat
 
Red Hat Rhmt
 
Red Hat Workload Availability Nhc
 
Red Hat Openshift Lightspeed
 
Red Hat Openshift Pipelines
 
Red Hat Service Mesh
 
Red Hat Amq Broker
 
Red Hat Ansible Automation Platform
 
Red Hat Apache Camel Hawtio
 
Red Hat Build Keycloak
 
Red Hat Podman Desktop
 
Red Hat Jboss Data Grid
 
Red Hat Rhdh
 
Red Hat Discovery
 
Red Hat Enterprise Linux Ai
 
Red Hat Jboss Enterprise Application Platform
 
Red Hat Jbosseapxp
 
Red Hat Openshift Ai
 
Red Hat Openshift
 
Red Hat Openshift Devspaces
 
Red Hat Container Native Virtualization
 
Red Hat Quay
 
Red Hat Ansible Portal
 

Affected Versions

vitejs launch-editor: vitejs vite: Red Hat Cryostat 4: Red Hat Migration Toolkit for Containers: Red Hat Node HealthCheck Operator: Red Hat OpenShift Lightspeed: Red Hat OpenShift Pipelines: Red Hat OpenShift Service Mesh 2: Red Hat OpenShift Service Mesh 3: Red Hat AMQ Broker 7: Red Hat Ansible Automation Platform 2: Red Hat build of Apache Camel - HawtIO 4: Red Hat Build of Keycloak: Red Hat Build of Podman Desktop: Red Hat Build of Podman Desktop - Tech Preview: Red Hat Data Grid 8: Red Hat Developer Hub: Red Hat Discovery 2: Red Hat Enterprise Linux AI (RHEL AI) 3: Red Hat JBoss Enterprise Application Platform 8: Red Hat JBoss Enterprise Application Platform Expansion Pack: Red Hat OpenShift AI (RHOAI): Red Hat OpenShift Container Platform 4: Red Hat OpenShift Dev Spaces: Red Hat OpenShift Virtualization 4: Red Hat Quay 3: Red Hat Self-service automation portal 2:

Exploit Probability

EPSS
0.53%
Percentile
40.72%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.