CVE-2024-52011

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-52011

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-52011.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-52011

Aliases

GHSA-c27g-q93r-2cwf

Related

CGA-hmp2-jmvh-v67h

Published

2026-06-01T17:17:43.792Z

Modified

2026-06-06T18:29:31.769600972Z

Severity

7.5 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

launch-editor vulnerable to command injection via the crafted request on Windows

Details

launch-editor allows users to open files with line numbers in editor from Node.js. Prior to version 2.9.0, due to the insufficient sanitization of the file argument in the launchEditor, an attacker can execute arbitrary commands on Windows by supplying a filename that contains special characters. This issue has been fixed in the launch-editor version 2.9.0, corresponding to vite version 5.4.9.

Database specific

{
    "cna_assigner": "GitHub_M",
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "fixed": "5.4.9"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/52xxx/CVE-2024-52011.json",
    "cwe_ids": [
        "CWE-77"
    ]
}

References

Affected packages

Git / github.com/vitejs/launch-editor

Affected ranges

Type: GIT
Repo: https://github.com/vitejs/launch-editor
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

811288a824b570a8ed9570323c924b42ddc62031

Affected versions

v1.*

v1.0.0

v2.*

v2.0.0

v2.1.0

v2.2.0

v2.2.1

v2.3.0

v2.4.0

v2.5.0

v2.6.0

v2.6.1

v2.7.0

v2.8.0

v2.8.1

v2.8.2

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-52011.json"