{"id":"CVE-2024-52011","summary":"launch-editor vulnerable to command injection via the crafted request on Windows","details":"launch-editor allows users to open files with line numbers in editor from Node.js. Prior to version 2.9.0, due to the insufficient sanitization of the `file` argument in the `launchEditor`, an attacker can execute arbitrary commands on Windows by supplying a filename that contains special characters. This issue has been fixed in the `launch-editor` version 2.9.0, corresponding to vite version 5.4.9.","aliases":["GHSA-c27g-q93r-2cwf"],"modified":"2026-06-06T18:29:31.769600972Z","published":"2026-06-01T17:17:43.792Z","related":["CGA-hmp2-jmvh-v67h"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/52xxx/CVE-2024-52011.json","cna_assigner":"GitHub_M","unresolved_ranges":[{"extracted_events":[{"fixed":"5.4.9"}],"source":"AFFECTED_FIELD"}],"cwe_ids":["CWE-77"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/52xxx/CVE-2024-52011.json"},{"type":"ADVISORY","url":"https://github.com/vitejs/launch-editor/security/advisories/GHSA-c27g-q93r-2cwf"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52011"},{"type":"FIX","url":"https://github.com/vitejs/launch-editor/commit/971291e8a6a91226e1616c5c0ec85423d2d50a5e"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/vitejs/launch-editor","events":[{"introduced":"0"},{"fixed":"811288a824b570a8ed9570323c924b42ddc62031"}]}],"versions":["v2.8.2","v2.8.1","v2.8.0","v2.7.0","v2.6.1","v2.6.0","v2.5.0","v2.4.0","v2.3.0","v2.2.1","v2.2.0","v2.1.0","v2.0.0","v1.0.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-52011.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}