Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.

Published: 2024-09-07

CVSS: 8.1

CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Download Exploit for CVE-2024-36138 here:

Use Tor Browser to access .onion links.

Check our team here:

https://tatramed.sk/exploit-396-cve-2020-3259/

https://tatramed.sk/exploit-1005-cve-2024-56519/

https://tatramed.sk/exploit-469-cve-2023-29403/

https://tatramed.sk/exploit-1171-cve-2025-8061/