Microsoft is investigating an ongoing Exchange Online outage preventing customers from sending emails and triggering 503 errors on affected systems. […] Read More
BleepingComputer
Related Posts
Ransomware gang behind threats to Fred Hutch cancer patients
Ransomware gang behind threats to Fred Hutch cancer patients
The Hunters International ransomware gang claimed to be behind a cyberattack on the Fred Hutchinson Cancer Center (Fred Hutch) that resulted in patients receiving personalized extortion threats. […] Read More
BleepingComputer
Critical Node.js Flaw Lets Attackers Execute Malicious Code on Windows Machines
Critical Node.js Flaw Lets Attackers Execute Malicious Code on Windows Machines
[[{“value”:”
Node.js project disclosed a high-severity vulnerability affecting multiple active release lines of its software on Windows platforms.
This flaw, identified as CVE-2024-27980, allows attackers to execute arbitrary commands on affected systems, posing a serious risk to applications and services built on Node.js.
Node.js Flaw Lets Attackers Execute Malicious Code
The core of the vulnerability lies within the child_process.spawn and child_process.spawnSync functions of Node.js when used on Windows operating systems. These functions are commonly utilized to spawn child processes from Node.js applications.
The flaw was discovered in the handling of batch files and command-line arguments passed to these functions.
Specifically, it was found that a maliciously crafted command-line argument could lead to command injection and arbitrary code execution, even if the shell option is not enabled in the function call.
This vulnerability is particularly alarming because it bypasses the safety mechanism provided by disabling the shell option, which is often recommended as a security best practice.
The impact is widespread, affecting all users of the 18.x, 20.x, and 21.x release lines of Node.js on Windows.
The Node.js project has acted swiftly in response to the discovery of CVE-2024-27980. Security updates to mitigate the issue have been released for the affected versions: 18.x, 20.x, and 21.x.
These updates are available as of Tuesday, April 9, 2024, and users are strongly urged to upgrade their Node.js installations immediately to protect their applications and infrastructure from potential exploitation.
Security researcher Ryotak was credited with discovering this vulnerability, and Ben Noordhuis implemented the fix. The Node.js project has expressed gratitude to the community members for their contributions to maintaining the platform’s security and integrity.
Recommendations for Node.js Users
In light of this critical vulnerability, Node.js users, especially those running applications on Windows, are advised to:
Update Immediately: Upgrade to the latest patched versions of Node.js (18.x, 20.x, 21.x) to mitigate the risk posed by CVE-2024-27980.
Review Security Practices: Re-evaluate the use of child processes within Node.js applications, especially in relation to handling external input and command-line arguments.
Stay Informed: Subscribe to the nodejs-sec mailing list and regularly check the official Node.js security page for updates on vulnerabilities and security releases.
Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.
The post Critical Node.js Flaw Lets Attackers Execute Malicious Code on Windows Machines appeared first on Cyber Security News.
“}]] Read More
Cyber Security News
Charming Kiten’s New Backdoor ‘Sponsor’ Targets Brazil, Israel, and U.A.E.
Charming Kiten’s New Backdoor ‘Sponsor’ Targets Brazil, Israel, and U.A.E.
The Iranian threat actor known as Charming Kiten has been linked to a new wave of attacks targeting different entities in Brazil, Israel, and the U.A.E. using a previously undocumented backdoor named Sponsor.
Slovak cybersecurity firm is tracking the cluster under the name Ballistic Bobcat. Victimology patterns suggest that the group primarily singles out education, government, and healthcare Read More
The Hacker News | #1 Trusted Cybersecurity News Site