CVE-2024-52011: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') in vitejs launch-editor
CVE-2024-52011 is a command injection vulnerability in the vitejs launch-editor package prior to version 2. 9. 0. The issue arises from insufficient sanitization of the file argument in the launchEditor function, allowing an attacker to execute arbitrary commands on Windows by crafting a filename with special characters. This vulnerability has been fixed in launch-editor version 2. 9. 0, which corresponds to vite version 5. 4. 9. The vulnerability is rated with a high severity score of 7.
AI Analysis
Technical Summary
The vitejs launch-editor package before version 2.9.0 contains a command injection vulnerability (CWE-77) due to improper neutralization of special elements in the file argument passed to the launchEditor function. This allows an attacker on Windows systems to execute arbitrary commands by supplying a specially crafted filename containing special characters. The vulnerability has been addressed by sanitizing the input in launch-editor 2.9.0, which is included in vite version 5.4.9. The CVSS 4.0 base score is 7.5, indicating high severity with network attack vector, low attack complexity, partial attack and user interaction required, and high impact on confidentiality, integrity, and availability.
Potential Impact
Successful exploitation allows an unauthenticated attacker to execute arbitrary commands on Windows systems where the vulnerable launch-editor version is used. This can lead to compromise of system integrity, confidentiality, and availability. The vulnerability affects local environments where launch-editor is used to open files with line numbers in editors via Node.js. There are no reports of active exploitation in the wild.
Mitigation Recommendations
A fix is available by upgrading launch-editor to version 2.9.0 or later, which includes proper sanitization of the file argument to prevent command injection. This fix is also included in vite version 5.4.9. Users should update to these versions to remediate the vulnerability. Since no vendor advisory or patch links were provided, users should verify the update from the official vitejs repository or package manager. No additional mitigations are indicated.
CVE-2024-52011: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') in vitejs launch-editor
Description
CVE-2024-52011 is a command injection vulnerability in the vitejs launch-editor package prior to version 2. 9. 0. The issue arises from insufficient sanitization of the file argument in the launchEditor function, allowing an attacker to execute arbitrary commands on Windows by crafting a filename with special characters. This vulnerability has been fixed in launch-editor version 2. 9. 0, which corresponds to vite version 5. 4. 9. The vulnerability is rated with a high severity score of 7.
CVSS v4.0
Score 7.5high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vitejs launch-editor package before version 2.9.0 contains a command injection vulnerability (CWE-77) due to improper neutralization of special elements in the file argument passed to the launchEditor function. This allows an attacker on Windows systems to execute arbitrary commands by supplying a specially crafted filename containing special characters. The vulnerability has been addressed by sanitizing the input in launch-editor 2.9.0, which is included in vite version 5.4.9. The CVSS 4.0 base score is 7.5, indicating high severity with network attack vector, low attack complexity, partial attack and user interaction required, and high impact on confidentiality, integrity, and availability.
Potential Impact
Successful exploitation allows an unauthenticated attacker to execute arbitrary commands on Windows systems where the vulnerable launch-editor version is used. This can lead to compromise of system integrity, confidentiality, and availability. The vulnerability affects local environments where launch-editor is used to open files with line numbers in editors via Node.js. There are no reports of active exploitation in the wild.
Mitigation Recommendations
A fix is available by upgrading launch-editor to version 2.9.0 or later, which includes proper sanitization of the file argument to prevent command injection. This fix is also included in vite version 5.4.9. Users should update to these versions to remediate the vulnerability. Since no vendor advisory or patch links were provided, users should verify the update from the official vitejs repository or package manager. No additional mitigations are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2024-11-04T17:46:16.779Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a1de300e29bf47b503a4daf
Added to database: 6/1/2026, 7:52:32 PM
Last enriched: 6/1/2026, 7:52:53 PM
Last updated: 6/2/2026, 5:57:41 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.