CVE-2024-3566
Published: 10 April 2024
Summary
CVE-2024-3566 is a critical-severity Command Injection (CWE-77) vulnerability in Nodejs Node.Js. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Windows Command Shell (T1059.003); ranked in the top 6.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A command injection vulnerability tracked as CVE-2024-3566 affects Windows applications that indirectly rely on the CreateProcess function under specific conditions. The flaw, assigned CWE-77 and carrying a CVSS 3.1 score of 9.8, enables an attacker to inject and execute arbitrary commands when those conditions are met. It impacts any software that passes untrusted input into command execution paths without adequate sanitization on Windows platforms.
An unauthenticated remote attacker can exploit the issue over the network without user interaction. Successful exploitation grants full control over the affected application, allowing arbitrary command execution that can lead to confidentiality, integrity, and availability impacts on the target system.
Public references, including research on Windows command-line handling and related CVEs such as CVE-2024-1874 and CVE-2024-22423, highlight longstanding difficulties with secure command execution and argument quoting on Windows. No specific patch details or mitigation steps are enumerated in the provided references beyond general awareness of the underlying CreateProcess behavior.
The EPSS score remains flat at 0.1055 with no material increase observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-32152
Vulnerability details
A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2024-3566 enables command injection in Windows Command Shell (cmd.exe) due to improper argument escaping by language runtimes when executing batch files via CreateProcess, allowing arbitrary command execution with controlled input.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.