Improper Neutralization of Special Elements used in a Command ('Command Injection')

CVE-2024-52011

High

7.5/10

Summary

launch-editor allows users to open files with line numbers in editor from Node.js. Prior to version 2.9.0, due to the insufficient sanitization of the `file` argument in the `launchEditor`, an attacker can execute arbitrary commands on Windows by supplying a filename that contains special characters. This issue has been fixed in the `launch-editor` version 2.9.0, corresponding to vite version 5.4.9.

Attack Complexity: LOW
Attack Vector: NETWORK
User Interaction: ACTIVE
Privileges Required: NONE

CWE-77 - Command Injection

A command injection attack involves injecting an operating system command through the data input, which gets executed on the host operating system with the privileges of the victimized application. The impact of a command injection attack may range from loss of data confidentiality and integrity to unauthorized remote access to the hosting system. The attack may cause serious data breaches and system takeover.

References

Advisory

Advisory Timeline

Published Jun 01, 2026

Improper Neutralization of Special Elements used in a Command ('Command Injection')

CVE-2024-52011

Summary

CWE-77 - Command Injection

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS