CRITICAL🇵🇱 Wersja polska

CVE-2024-3566

CVSS 9.8v3.1pub. 2024-04-10upd. 2026-05-15

A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.

🤖 AI Analysis
How it works

The vulnerability results from improper handling of command-line arguments passed to the CreateProcess function in Windows. When certain conditions are met, an attacker can inject additional system commands through crafted input data. This affects applications written in Haskell (Process library), Node.js, and PHP, which indirectly call CreateProcess without proper argument sanitization. As a result, a malicious payload can be interpreted by the operating system as a separate command.

Impact

An attacker can gain full control over the system — execute arbitrary code, access sensitive data, and disrupt the operation of applications or entire servers (violation of confidentiality, integrity, and availability).

Mitigation & patch

Patches available from individual environment vendors (Haskell, Node.js, PHP) should be applied according to the references. Additionally, it is recommended to verify and sanitize all input data passed to functions that launch system processes on the Windows platform.

Who is affected

Windows applications using: Haskell Process Library, Node.js environment, and PHP — in versions specified in the manufacturer's references — that indirectly call the CreateProcess function.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Haskell Process Library

    APP
    Haskell
    < 1.6.19.0
  • Microsoft Windows

    OS
    Microsoft
    wszystkie wersje
  • Node.js

    APP
    Nodejs
    19.0.0 – 20.12.2 (bez)21.0.0 – 21.7.3 (bez)< 18.20.2
  • PHP

    APP
    Php
    8.2.0 – 8.2.18 (bez)8.3.0 – 8.3.6 (bez)< 8.1.28
  • Rust Lang Rust

    APP
    Rust-Lang
    < 1.77.2
  • Yt Dlp Project Yt Dlp

    APP
    Yt-Dlp Project
    2021.04.11 – 2024.04.09 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-8398CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów

CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty

CVE-2025-34028CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP

CVE-2024-7262CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Path Traversal w Kingsoft WPS Office — ładowanie dowolnej biblioteki Windows

CVE-2024-4577CRITICAL9.8⚠ KEVPL ✓ten sam produkt

PHP CGI argument injection – RCE na Windows przez mechanizm Best-Fit