CVE-2024-52011 - High Severity Vulnerability
Vulnerable Library - launch-editor-2.2.1.tgz
launch editor from node.js
Library home page: https://registry.npmjs.org/launch-editor/-/launch-editor-2.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/launch-editor/package.json
Dependency Hierarchy:
- nuxt-2.14.3.tgz (Root Library)
- core-2.14.3.tgz
- server-2.14.3.tgz
- launch-editor-middleware-2.2.1.tgz
- ❌ launch-editor-2.2.1.tgz (Vulnerable Library)
Found in HEAD commit: de1c2b0d1a23367b161c2d995029f9693bd8a155
Found in base branch: master
Vulnerability Details
launch-editor allows users to open files with line numbers in editor from Node.js. Prior to version 2.9.0, due to the insufficient sanitization of the "file" argument in the "launchEditor", an attacker can execute arbitrary commands on Windows by supplying a filename that contains special characters. This issue has been fixed in the "launch-editor" version 2.9.0, corresponding to vite version 5.4.9.
Publish Date: 2026-06-01
URL: CVE-2024-52011
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-c27g-q93r-2cwf
Release Date: 2026-06-01
Fix Resolution (launch-editor): 2.9.0
Direct dependency fix Resolution (nuxt): 2.14.4
Step up your Open Source Security Game with Mend here
CVE-2024-52011 - High Severity Vulnerability
launch editor from node.js
Library home page: https://registry.npmjs.org/launch-editor/-/launch-editor-2.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/launch-editor/package.json
Dependency Hierarchy:
Found in HEAD commit: de1c2b0d1a23367b161c2d995029f9693bd8a155
Found in base branch: master
launch-editor allows users to open files with line numbers in editor from Node.js. Prior to version 2.9.0, due to the insufficient sanitization of the "file" argument in the "launchEditor", an attacker can execute arbitrary commands on Windows by supplying a filename that contains special characters. This issue has been fixed in the "launch-editor" version 2.9.0, corresponding to vite version 5.4.9.
Publish Date: 2026-06-01
URL: CVE-2024-52011
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: GHSA-c27g-q93r-2cwf
Release Date: 2026-06-01
Fix Resolution (launch-editor): 2.9.0
Direct dependency fix Resolution (nuxt): 2.14.4
Step up your Open Source Security Game with Mend here