"Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled."

https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2

#security #nodejs #infosec