A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.
The vulnerability results from improper handling of command-line arguments passed to the CreateProcess function in Windows. When certain conditions are met, an attacker can inject additional system commands through crafted input data. This affects applications written in Haskell (Process library), Node.js, and PHP, which indirectly call CreateProcess without proper argument sanitization. As a result, a malicious payload can be interpreted by the operating system as a separate command.
An attacker can gain full control over the system — execute arbitrary code, access sensitive data, and disrupt the operation of applications or entire servers (violation of confidentiality, integrity, and availability).
Patches available from individual environment vendors (Haskell, Node.js, PHP) should be applied according to the references. Additionally, it is recommended to verify and sanitize all input data passed to functions that launch system processes on the Windows platform.
Windows applications using: Haskell Process Library, Node.js environment, and PHP — in versions specified in the manufacturer's references — that indirectly call the CreateProcess function.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HHaskell Process Library
APPHaskell< 1.6.19.0Microsoft Windows
OSMicrosoftwszystkie wersjeNode.js
APPNodejs19.0.0 – 20.12.2 (bez)21.0.0 – 21.7.3 (bez)< 18.20.2PHP
APPPhp8.2.0 – 8.2.18 (bez)8.3.0 – 8.3.6 (bez)< 8.1.28Rust Lang Rust
APPRust-Lang< 1.77.2Yt Dlp Project Yt Dlp
APPYt-Dlp Project2021.04.11 – 2024.04.09 (bez)
Related vulnerabilities
Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP
Path Traversal w Kingsoft WPS Office — ładowanie dowolnej biblioteki Windows
PHP CGI argument injection – RCE na Windows przez mechanizm Best-Fit