CVE-2024-52011
Deferred Deferred - Pending Action
launch-editor Arbitrary Command Execution on Windows

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: GitHub, Inc.

Description
launch-editor allows users to open files with line numbers in editor from Node.js. Prior to version 2.9.0, due to the insufficient sanitization of the `file` argument in the `launchEditor`, an attacker can execute arbitrary commands on Windows by supplying a filename that contains special characters. This issue has been fixed in the `launch-editor` version 2.9.0, corresponding to vite version 5.4.9.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-01
Generated
2026-06-22
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2024-52011
EUVD
EUVD-2024-55605
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vitejs launch-editor to 2.9.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2024-52011 is a command injection vulnerability in the launch-editor package used on Windows systems. It occurs because the launchEditor function does not properly sanitize the file argument, allowing an attacker to execute arbitrary commands by supplying a filename containing special characters.

This vulnerability can be exploited if an attacker can place a malicious file and invoke the launchEditor method with a controlled file argument, particularly in environments where the package runs on Windows, such as development servers.

The issue has been fixed in launch-editor version 2.9.0 by implementing an escape mechanism for dangerous characters and properly quoting file paths to prevent command injection.

Compliance Impact

This vulnerability allows an attacker to execute arbitrary commands on a Windows system due to insufficient sanitization of input, leading to high risks to confidentiality, integrity, and availability of the affected system.

Such risks could potentially impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system integrity. If exploited, the vulnerability could lead to unauthorized access or modification of data, violating these compliance requirements.

However, the provided information does not explicitly state the direct impact on compliance frameworks or specific regulatory consequences.

Impact Analysis

This vulnerability can lead to remote code execution (RCE) on affected Windows systems, allowing attackers to run arbitrary commands with potentially high impact.

  • High risk to confidentiality, as attackers could access sensitive information.
  • High risk to integrity, since attackers could modify or corrupt data.
  • High risk to availability, as attackers could disrupt or disable system functionality.

The attack vector is network-based and requires user interaction, but the attack complexity is low, making it a significant threat in vulnerable environments.

Detection Guidance

This vulnerability involves command injection via the launch-editor package on Windows systems when the launchEditor function is called with a specially crafted file argument containing special characters.

Detection can focus on monitoring calls to the launchEditor function with suspicious file names containing special characters such as &, <, >, |, %, and ^, which are known to be used in command injection attempts.

On Windows systems, you can audit processes or scripts invoking launch-editor or monitor logs for unusual command executions triggered by file names.

  • Use Windows Event Logs or Sysmon to track process creation events related to launch-editor or Node.js processes.
  • Search for suspicious command lines containing special characters in process monitoring tools or logs.
  • If you have access to the source or runtime environment, check the version of launch-editor installed by running: `npm list launch-editor` or `yarn list launch-editor` to verify if it is below version 2.9.0.
  • Use network monitoring tools to detect unusual or unexpected outbound commands or connections initiated by processes running launch-editor.
Mitigation Strategies

The primary mitigation step is to upgrade the launch-editor package to version 2.9.0 or later, where the vulnerability has been fixed.

This update replaces the insecure allowlist approach with an escape mechanism that neutralizes dangerous characters in file names and properly quotes file paths, preventing command injection.

Additionally, ensure that your development or deployment environment restricts untrusted users from supplying arbitrary file names to the launchEditor function.

  • Update launch-editor to version 2.9.0 or newer using your package manager (e.g., `npm install launch-editor@^2.9.0`).
  • Audit and restrict user inputs that can influence file arguments passed to launchEditor.
  • Consider applying runtime monitoring to detect and block suspicious command executions triggered by launch-editor.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-52011. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart