HIGH 8.3

CVE-2024-52011: Command Injection in launch-editor via Malicious Filenames on Windows

CVE-2024-52011 is a command injection vulnerability in the launch-editor library, a Node.js utility that opens files in text editors with specified line numbers. Before version 2.9.0, the library failed to properly sanitize filename input on Windows systems, allowing an attacker to inject and execute arbitrary commands by crafting a malicious filename. An attacker would need to trick a user into opening a specially crafted file—typically through a development workflow, build process, or IDE integration—to trigger code execution with the privileges of the affected user.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
Weaknesses (CWE)
CWE-77, CWE-88
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-07-02

NVD description (verbatim)

launch-editor allows users to open files with line numbers in editor from Node.js. Prior to version 2.9.0, due to the insufficient sanitization of the `file` argument in the `launchEditor`, an attacker can execute arbitrary commands on Windows by supplying a filename that contains special characters. This issue has been fixed in the `launch-editor` version 2.9.0, corresponding to vite version 5.4.9.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from insufficient input sanitization of the `file` argument passed to the `launchEditor` function. On Windows, special characters in filenames are not properly escaped before being passed to shell execution contexts. This allows command injection through shell metacharacters. An attacker can embed shell commands (e.g., using `&`, `|`, `;`, or other command separators) within a filename, which are then executed by the operating system rather than being treated as literal filename characters. The issue affects launch-editor versions prior to 2.9.0 and is resolved in version 2.9.0 and later, which includes a corresponding fix in Vite version 5.4.9.

Business impact

Development teams using affected versions face the risk of supply chain compromise and lateral movement. If a developer opens a malicious file through an IDE, build tool, or development utility that depends on launch-editor, arbitrary code executes with the developer's system privileges. This could lead to theft of source code, credentials, API keys, or other sensitive assets stored in the development environment. Compromised developer machines can become pivot points for broader infrastructure attacks. Organizations relying on Vite or tools integrated with launch-editor should assess their exposure.

Affected systems

The launch-editor library is the direct affected component. Affected versions are all releases prior to 2.9.0. The vulnerability is specific to Windows systems; the insufficient sanitization pattern does not yield command injection on Unix-like systems due to different shell quoting semantics. Any Node.js application or tool that includes launch-editor as a dependency—including Vite (affected in versions before 5.4.9)—is potentially vulnerable if running on Windows. IDEs and editors that invoke launch-editor for opening files with line numbers are common exposure vectors.

Exploitability

The CVSS score of 8.3 (HIGH) reflects realistic exploitability. An attacker requires user interaction (UI:R)—someone must open a crafted file or filename—but no special privileges or complex attack conditions are needed. The attack is network-accessible (AV:N), meaning malicious files can be distributed via email, repositories, file-sharing platforms, or other remote channels. Once a developer opens a file with a malicious name, code execution is immediate. The barrier to crafting and distributing such a filename is low, making this a moderate-to-high practical risk in development environments.

Remediation

Update launch-editor to version 2.9.0 or later. If launch-editor is used indirectly through Vite, update Vite to version 5.4.9 or later. Both versions include corrected filename sanitization logic that properly escapes or validates special characters before passing filenames to shell execution on Windows. Review your project dependencies to identify all transitive uses of launch-editor. After patching, no configuration changes are required; the fix is transparent to end users.

Patch guidance

1. Check your package.json and lock files (package-lock.json, yarn.lock, pnpm-lock.yaml) for direct or transitive dependencies on launch-editor and Vite. 2. If using Vite for development, upgrade to 5.4.9 or later. 3. If launch-editor is a direct dependency, upgrade to 2.9.0 or later. 4. Run `npm audit` or equivalent after patching to confirm resolution. 5. Test your development workflows (particularly opening files from IDEs and build tools) to confirm normal operation. 6. Communicate the patch requirement to your development team, emphasizing the importance of updating before opening untrusted or unknown files.

Detection guidance

Monitor for unusual command execution originating from editor processes or Node.js development tools on Windows systems. Look for shell metacharacters (`;`, `|`, `&`, `>`, `<`) appearing in process names, command lines, or file paths being opened by development tools. Endpoint detection and response (EDR) tools should alert on unexpected child processes spawned from editor or Vite processes. In source repositories, scan for filenames containing shell metacharacters, particularly in recently added or pull-requested files. Code review practices should include scrutiny of any unusually named files in changesets.

Why prioritize this

Prioritize this patch for Windows-based development environments. The HIGH severity, ease of exploitation through social engineering (malicious filenames), and presence in widely-used development tools (Vite) make this a meaningful risk. Development machines often hold high-value credentials and source code, amplifying the impact of code execution. However, the requirement for user interaction (opening a file) and Windows-only exposure moderates urgency slightly compared to unauthenticated remote code execution in production systems. Prioritize teams that frequently clone or open repositories from external sources or that use Vite in Windows-based CI/CD pipelines.

Risk score, explained

The CVSS 8.3 score reflects: (1) network accessibility of the attack vector—malicious files can be distributed remotely; (2) low attack complexity—no special conditions needed beyond crafting a filename with shell metacharacters; (3) no privilege requirement; (4) user interaction—a developer must open the file, which is a realistic but necessary condition; (5) high confidentiality and integrity impact from arbitrary code execution; (6) lower availability impact. The score appropriately captures the serious but not critical nature of this development-environment focused vulnerability.

Frequently asked questions

Does this affect production servers running Node.js?

Unlikely, unless your production deployment directly uses the launch-editor library to open files interactively. launch-editor is designed for development workflows and IDE integration. Most production deployments do not include it. However, verify your production dependencies to be certain.

What if my project does not directly depend on launch-editor?

It may be a transitive dependency. Run `npm ls launch-editor` (or equivalent for your package manager) to check. If Vite is a dependency, it likely brought in launch-editor, and you should update Vite to 5.4.9+.

Is this vulnerability exploitable on macOS or Linux?

No. The vulnerability is specific to Windows due to how shell metacharacters are handled in Windows command execution. Unix-like systems use different quoting and escaping rules that prevent this particular injection pattern. Windows developers remain the primary target.

Do I need to take any action after updating to 2.9.0?

No special post-patch action is required. The fix is transparent. Simply update, verify your development workflows still function normally, and ensure your team is using the patched version.

This analysis is provided for informational purposes to support security decision-making. It is based on the publicly disclosed vulnerability information available as of the publication date. Readers should verify all technical details, patch availability, and applicability to their specific environment against official vendor advisories and release notes. The absence of a CVE in the Known Exploited Vulnerabilities (KEV) catalog does not indicate that exploitation is unlikely; it reflects KEV's specific publication criteria. Organizations are responsible for assessing their own risk tolerance, testing patches in non-production environments before deployment, and maintaining an inventory of affected software in their infrastructure. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).