What's going wrong?
After April 10th 2024, the Node team released a patch to an exploit "Command injection via args parameter of child_process.spawn without shell option enabled on Windows (CVE-2024-27980) - (HIGH)". As a result, we are unable to create a pm2 task that would run a .bat batch file and there's an error thrown, Error while launching application Error: spawn EINVAL (nodejs/node#52554).
Could you introduce a argument we could pass in that would allow us to mitigate this by giving us an "unsafe" option we could enable that would allow us to run batch files by adding the { shell: true } argument to any spawn calls?
NOTE that the command works when passing in --interpreter cmd but it doesn't seem to run the contents of the batch file and leaves the cmd shell open without doing anything:
C:\Users\me\.pm2\logs\mybatch-out.log last 15 lines:
10|StreamL | Microsoft Windows [Version 10.0.19045.4894]
10|StreamL | (c) Microsoft Corporation. All rights reserved.
10|StreamL |
10|StreamL | \dir>Microsoft Windows [Version 10.0.19045.4894]
10|StreamL | (c) Microsoft Corporation. All rights reserved.
10|StreamL |
10|StreamL | \dir>Microsoft Windows [Version 10.0.19045.4894]
10|StreamL | (c) Microsoft Corporation. All rights reserved.
10|StreamL |
I've tried it multiple times and it doesn't output anything nor does it do anything
How could we reproduce this issue?
- Create any batch file
pm2 start "mybatch.bat --interpreter none --name mybatch
Supporting information
https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2
nodejs/node#52554
$ pm2 report
--- PM2 report ----------------------------------------------------------------
Date : Thu Oct 10 2024 10:28:55 GMT-0400 (Eastern Daylight Time)
===============================================================================
--- Daemon -------------------------------------------------
pm2d version : 5.4.2
node version : 22.3.0
node path : not found
argv : C:\Program Files\nodejs\node.exe,C:\Users\me\AppData\Roaming\nvm\v22.3.0\node_modules\pm2\lib\Daemon.js
argv0 : node
user : undefined
uid : N/A
gid : N/A
uptime : 12194min
===============================================================================
--- CLI ----------------------------------------------------
local pm2 : 5.4.2
node version : 22.3.0
node path : not found
argv : C:\Program Files\nodejs\node.exe,C:\Program Files\nodejs\node_modules\pm2\bin\pm2,report
argv0 : C:\Program Files\nodejs\\node.exe
user : me
===============================================================================
--- System info --------------------------------------------
arch : x64
platform : win32
type : Windows_NT
cpus : AMD Ryzen 9 5900X 12-Core Processor
cpus nb : 24
freemem : 6663692288
totalmem : 34281103360
home : C:\Users\me
===============================================================================
--- PM2 list -----------------------------------------------
┌────┬────────────────────┬──────────┬──────┬───────────┬──────────┬──────────┐
│ id │ name │ mode │ ↺ │ status │ cpu │ memory │
├────┼────────────────────┼──────────┼──────┼───────────┼──────────┼──────────┤
│ 8 │ redacted │ fork │ 0 │ online │ 0% │ 5.3mb │
│ 7 │ redacted │ fork │ 0 │ online │ 0% │ 5.3mb │
│ 9 │ redacted │ fork │ 0 │ online │ 0% │ 5.3mb │
│ 0 │ monitor │ fork │ 0 │ online │ 0% │ 987.0mb │
└────┴────────────────────┴──────────┴──────┴───────────┴──────────┴──────────┘
===============================================================================
--- Daemon logs --------------------------------------------
C:\Users\me\.pm2\pm2.log last 20 lines:
PM2 | at next (C:\Users\me\AppData\Roaming\nvm\v22.3.0\node_modules\pm2\node_modules\async\waterfall.js:96:20)
PM2 | at C:\Users\me\AppData\Roaming\nvm\v22.3.0\node_modules\pm2\node_modules\async\internal\onlyOnce.js:12:16
PM2 | at WriteStream.<anonymous> (C:\Users\me\AppData\Roaming\nvm\v22.3.0\node_modules\pm2\lib\Utility.js:186:13)
PM2 | at WriteStream.emit (node:events:520:28)
PM2 | at WriteStream.emit (node:domain:551:15)
PM2 | at node:internal/fs/streams:78:16 {
PM2 | errno: -4071,
PM2 | code: 'EINVAL',
PM2 | syscall: 'spawn'
PM2 | }
PM2 | at God.logAndGenerateError (C:\Users\me\AppData\Roaming\nvm\v22.3.0\node_modules\pm2\lib\God\Methods.js:34:15)
PM2 | at C:\Users\me\AppData\Roaming\nvm\v22.3.0\node_modules\pm2\lib\God\ForkMode.js:115:13
PM2 | at wrapper (C:\Users\me\AppData\Roaming\nvm\v22.3.0\node_modules\pm2\node_modules\async\internal\once.js:12:16)
PM2 | at next (C:\Users\me\AppData\Roaming\nvm\v22.3.0\node_modules\pm2\node_modules\async\waterfall.js:96:20)
PM2 | at C:\Users\me\AppData\Roaming\nvm\v22.3.0\node_modules\pm2\node_modules\async\internal\onlyOnce.js:12:16
PM2 | at WriteStream.<anonymous> (C:\Users\me\AppData\Roaming\nvm\v22.3.0\node_modules\pm2\lib\Utility.js:186:13)
PM2 | at WriteStream.emit (node:events:520:28)
PM2 | at WriteStream.emit (node:domain:551:15)
PM2 | at node:internal/fs/streams:78:16
PM2 | at FSReqCallback.oncomplete (node:fs:188:23)
What's going wrong?
After April 10th 2024, the Node team released a patch to an exploit "Command injection via args parameter of child_process.spawn without shell option enabled on Windows (CVE-2024-27980) - (HIGH)". As a result, we are unable to create a pm2 task that would run a
.batbatch file and there's an error thrown,Error while launching application Error: spawn EINVAL(nodejs/node#52554).Could you introduce a argument we could pass in that would allow us to mitigate this by giving us an "unsafe" option we could enable that would allow us to run batch files by adding the
{ shell: true }argument to any spawn calls?NOTE that the command works when passing in
--interpreter cmdbut it doesn't seem to run the contents of the batch file and leaves the cmd shell open without doing anything:I've tried it multiple times and it doesn't output anything nor does it do anything
How could we reproduce this issue?
ECHO Hello Worldpm2 start "mybatch.bat --interpreter none--name mybatchSupporting information
https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2
nodejs/node#52554