{"id":"CVE-2024-3566","summary":"Command injection vulnerability in programing languages on Microsoft Windows operating system.","details":"A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.","aliases":["BIT-node-2024-3566","BIT-node-min-2024-3566","HSEC-2024-0003"],"modified":"2026-05-30T07:41:25.964894221Z","published":"2024-04-10T15:22:56.099Z","database_specific":{"unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"*"},{"last_affected":"21.7.2"},{"last_affected":"*"},{"last_affected":"*"}]}],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/3xxx/CVE-2024-3566.json","cna_assigner":"certcc"},"references":[{"type":"WEB","url":"https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/"},{"type":"WEB","url":"https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2024/CVE-2024-3566"},{"type":"WEB","url":"https://kb.cert.org/vuls/id/123335"},{"type":"WEB","url":"https://www.cve.org/CVERecord?id=CVE-2024-1874"},{"type":"WEB","url":"https://www.cve.org/CVERecord?id=CVE-2024-22423"},{"type":"WEB","url":"https://www.cve.org/CVERecord?id=CVE-2024-24576"},{"type":"WEB","url":"https://www.kb.cert.org/vuls/id/123335"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/3xxx/CVE-2024-3566.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-3566"},{"type":"ARTICLE","url":"https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nodejs/node","events":[{"introduced":"0"},{"fixed":"9aedf16f8fb3b2e397a07e3844dd964ce435a8e3"},{"introduced":"cc993fb2760d01457955f5b9ff787d559ed1c34e"},{"fixed":"b3f0c612c8af7be46148f54604710bd5c6e2464f"},{"introduced":"38d0e69347de4db532a3bb6bddf51ead9ff764f8"},{"fixed":"97297e91febe3b49b50b22f0bea8ed21189a9e53"}],"database_specific":{"source":"CPE_RANGE","extracted_events":[{"introduced":"0"},{"fixed":"18.20.2"},{"introduced":"19.0.0"},{"fixed":"20.12.2"},{"introduced":"21.0.0"},{"fixed":"21.7.3"}],"cpe":"cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*"}}],"versions":["v18.20.1","v20.12.1","v21.7.2","v20.12.0","v18.20.0","v21.7.1","v21.7.0","v21.6.2","v20.11.1","v18.19.1","v21.6.1","v21.6.0","v20.11.0","v21.5.0","v21.4.0","v21.3.0","v18.19.0","v20.10.0","v21.2.0","v21.1.0","v20.9.0","v21.0.0","v18.18.2","v20.8.1","v18.18.1","v20.8.0","v18.18.0","v20.7.0","v20.6.1","v20.6.0","v20.5.1","v18.17.1","v20.5.0","v18.17.0","v20.4.0","v18.16.1","v20.3.1","v20.3.0","v20.2.0","v20.1.0","v20.0.0","v18.16.0","v18.15.0","v18.14.2","v18.14.1","v18.14.0","v18.13.0","v18.12.1","v18.12.0","v18.11.0","v18.10.0","v18.9.1","v18.9.0","v18.8.0","v18.7.0","v18.6.0","v18.5.0","v18.4.0","v18.3.0","v18.2.0","v18.1.0","v18.0.0","v3.0.0","v2.5.0","v2.4.0","v2.3.4","v2.3.3","v2.3.2","v2.3.1","v2.3.0","v2.2.1","v2.2.0","v2.1.0","v2.0.2","v2.0.1","v2.0.0","v1.7.1","v1.7.0","v1.6.4","v1.6.3","v1.6.2","v1.6.1","v1.6.0","v1.5.1","v1.5.0","v1.4.3","v1.4.2","v1.4.1","v1.3.0","v1.2.0","v1.1.0","v1.0.4","v1.0.3","v1.0.2-release","v1.0.2","v1.0.1-release","v1.0.1","v0.7.3","v0.7.2","v0.7.0","v0.6.1","v0.6.0","v0.5.10","v0.5.9","v0.5.8","v0.5.7","v0.5.6","v0.5.5-rc1","v0.5.5","v0.5.4","v0.5.3","v0.5.2","v0.5.1","v0.5.0","v0.4.0","v0.3.8","v0.3.7","v0.3.6","v0.3.5","v0.3.4","v0.3.2","v0.3.1","v0.3.0","v0.2.0","v0.1.104","v0.1.103","v0.1.102","v0.1.101","v0.1.100","v0.1.99","v0.1.98","v0.1.97","v0.1.96","v0.1.95","v0.1.94","v0.1.93","v0.1.92","v0.1.33","v0.1.32","v0.1.31","v0.1.30","v0.1.29","v0.1.28","v0.1.27","v0.1.26","v0.1.25","v0.1.24","v0.1.23","v0.1.22","v0.1.21","v0.1.20","v0.1.19","v0.1.18","v0.1.17","v0.1.16","v0.1.15","v0.1.14","v0.1.13","v0.1.12","v0.1.11","v0.1.10","v0.1.9","v0.1.8","v0.1.7","v0.1.6","v0.1.5","v0.1.4","v0.1.3","v0.1.2","v0.1.1","v0.1.0","v0.0.6","v0.0.4","v0.0.3","v0.0.2","v0.0.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-3566.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/php/php-src","events":[{"introduced":"0"},{"fixed":"9119509142637005d079bcc2815ee43ec1c79524"},{"introduced":"70ee6c20ad97e02c2b8098aeea96fefbbc3ac5c2"},{"fixed":"d94fdf582e1fe4a1d85ded00a4c8b9935486c51d"},{"introduced":"d26068059e83fe40de3430a512471d194119bee0"},{"fixed":"6e8a26fba3020ad939a6cca2590c987176e00ded"}],"database_specific":{"source":"CPE_RANGE","extracted_events":[{"introduced":"0"},{"fixed":"8.1.28"},{"introduced":"8.2.0"},{"fixed":"8.2.18"},{"introduced":"8.3.0"},{"fixed":"8.3.6"}],"cpe":"cpe:2.3:a:php:php:*:*:*:*:*:*:*:*"}}],"versions":["POST_PHP7_NSAPI_REMOVAL","PRE_PHP7_NSAPI_REMOVAL","PRE_PHP7_EREG_MYSQL_REMOVALS","PRE_PHP7_REMOVALS","POST_PHP7_REMOVALS","POST_AST_MERGE","PRE_AST_MERGE","POST_64BIT_BRANCH_MERGE","PRE_64BIT_BRANCH_MERGE","POST_PHPNG_MERGE"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-3566.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/rust-lang/rust","events":[{"introduced":"0"},{"fixed":"25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04"}],"database_specific":{"source":"CPE_RANGE","extracted_events":[{"introduced":"0"},{"fixed":"1.77.2"}],"cpe":"cpe:2.3:a:rust-lang:rust:*:*:*:*:*:*:*:*"}}],"versions":["1.77.1","1.77.0","1.0.0-beta","1.0.0-alpha.2","1.0.0-alpha","0.9","0.8","release-0.7","0.7","release-0.6","0.6","release-0.5","0.5","release-0.4","0.4","release-0.2","0.2","release-0.1","0.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-3566.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/yt-dlp/yt-dlp","events":[{"introduced":"a0f30f194ad6b8e6c56a37df9469ca51f3812692"},{"fixed":"168e72dcd3e04e0e19e92c012a04b8a1e4658f50"}],"database_specific":{"source":"CPE_RANGE","extracted_events":[{"introduced":"2021.04.11"},{"fixed":"2024.04.09"}],"cpe":"cpe:2.3:a:yt-dlp_project:yt-dlp:*:*:*:*:*:*:*:*"}}],"versions":["2024.03.10","2023.12.30","2023.11.16","2023.11.14","2023.10.13","2023.10.07","2023.09.24","2023.07.06","2023.06.22","2023.06.21","2023.03.04","2023.03.03","2023.02.17","2023.01.06","2023.01.02","2022.11.11","2022.10.04","2022.09.01","2022.08.19","2022.08.14","2022.08.08","2022.07.18","2022.06.29","2022.06.22.1","2022.06.22","2022.05.18","2022.04.08","2022.03.08.1","2022.02.04","2022.02.03","2021.12.27","2021.12.25","2021.12.01","2021.11.10.1","2021.11.10","2021.10.22","2021.10.10","2021.10.09","2021.09.25","2021.09.02","2021.08.10","2021.08.02","2021.07.24","2021.07.21","2021.07.07","2021.06.23","2021.06.09","2021.06.08","2021.06.01","2021.05.11","2021.04.22","2021.04.11"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-3566.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}