GHSA-c27g-q93r-2cwf
launch-editor vulnerable to command injection via the crafted request on Windows
Details
### Summary Due to the insufficient sanitization of the `file` argument in the `launchEditor`, an attacker can execute arbitrary commands on Windows by supplying a filename that contains special characters.
### Impact If the following conditions are met, an attacker can execute arbitrary commands on the computer that is using the `launch-editor`:
- An attacker can place a file with the malicious filename - An attacker can call the `launchEditor` method with the `file` argument controlled - The `launch-editor` package is running on Windows
For example, some development server using this package satisfy these conditions, as a malicious website might be able to force the downloading of a file and the path of that file is predictable.
### Patch This issue has been fixed in the `launch-editor` version 2.9.0 ([commit](https://github.com/vitejs/launch-editor/commit/971291e8a6a91226e1616c5c0ec85423d2d50a5e)).
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/vitejs/launch-editor/security/advisories/GHSA-c27g-q93r-2cwf [WEB]
- https://github.com/yyx990803/launch-editor/security/advisories/GHSA-c27g-q93r-2cwf [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2024-52011 [ADVISORY]
- https://github.com/vitejs/launch-editor/commit/971291e8a6a91226e1616c5c0ec85423d2d50a5e [WEB]
- https://github.com/vitejs/launch-editor [PACKAGE]