CVE-2024-52011
launch-editor Arbitrary Command Execution on Windows
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vitejs | launch-editor | to 2.9.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2024-52011 is a command injection vulnerability in the launch-editor package used on Windows systems. It occurs because the launchEditor function does not properly sanitize the file argument, allowing an attacker to execute arbitrary commands by supplying a filename containing special characters.
This vulnerability can be exploited if an attacker can place a malicious file and invoke the launchEditor method with a controlled file argument, particularly in environments where the package runs on Windows, such as development servers.
The issue has been fixed in launch-editor version 2.9.0 by implementing an escape mechanism for dangerous characters and properly quoting file paths to prevent command injection.
How can this vulnerability impact me? :
This vulnerability can lead to remote code execution (RCE) on affected Windows systems, allowing attackers to run arbitrary commands with potentially high impact.
- High risk to confidentiality, as attackers could access sensitive information.
- High risk to integrity, since attackers could modify or corrupt data.
- High risk to availability, as attackers could disrupt or disable system functionality.
The attack vector is network-based and requires user interaction, but the attack complexity is low, making it a significant threat in vulnerable environments.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves command injection via the launch-editor package on Windows systems when the launchEditor function is called with a specially crafted file argument containing special characters.
Detection can focus on monitoring calls to the launchEditor function with suspicious file names containing special characters such as &, <, >, |, %, and ^, which are known to be used in command injection attempts.
On Windows systems, you can audit processes or scripts invoking launch-editor or monitor logs for unusual command executions triggered by file names.
- Use Windows Event Logs or Sysmon to track process creation events related to launch-editor or Node.js processes.
- Search for suspicious command lines containing special characters in process monitoring tools or logs.
- If you have access to the source or runtime environment, check the version of launch-editor installed by running: `npm list launch-editor` or `yarn list launch-editor` to verify if it is below version 2.9.0.
- Use network monitoring tools to detect unusual or unexpected outbound commands or connections initiated by processes running launch-editor.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the launch-editor package to version 2.9.0 or later, where the vulnerability has been fixed.
This update replaces the insecure allowlist approach with an escape mechanism that neutralizes dangerous characters in file names and properly quotes file paths, preventing command injection.
Additionally, ensure that your development or deployment environment restricts untrusted users from supplying arbitrary file names to the launchEditor function.
- Update launch-editor to version 2.9.0 or newer using your package manager (e.g., `npm install launch-editor@^2.9.0`).
- Audit and restrict user inputs that can influence file arguments passed to launchEditor.
- Consider applying runtime monitoring to detect and block suspicious command executions triggered by launch-editor.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to execute arbitrary commands on a Windows system due to insufficient sanitization of input, leading to high risks to confidentiality, integrity, and availability of the affected system.
Such risks could potentially impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system integrity. If exploited, the vulnerability could lead to unauthorized access or modification of data, violating these compliance requirements.
However, the provided information does not explicitly state the direct impact on compliance frameworks or specific regulatory consequences.