DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2024-52011: CVE-2024-52011: Remote Command Injection in ViteJS launch-editor

#security #cve #cybersecurity

CVE-2024-52011: Remote Command Injection in ViteJS launch-editor

Vulnerability ID: CVE-2024-52011
CVSS Score: 7.5
Published: 2026-06-03

CVE-2024-52011 is a critical command injection vulnerability in the ViteJS launch-editor utility (versions prior to 2.9.0) affecting Windows environments. Unsanitized command-line arguments can lead to remote code execution on a developer workstation via cross-origin requests targeting the local development server.

TL;DR

ViteJS launch-editor before version 2.9.0 on Windows fails to validate line numbers parsed from filenames, allowing remote attackers to trigger arbitrary command execution on developer workstations via cross-origin HTTP requests targeting the local development server.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-77
  • Attack Vector: Network / Cross-Origin HTTP Request
  • CVSS Score: 7.5 (High)
  • EPSS Score: 0.0006
  • Impact: Remote Code Execution (RCE)
  • Exploit Status: Proof-of-Concept Available
  • KEV Status: Not Listed

Affected Systems

  • Vite Development Server
  • launch-editor (npm package)
  • Windows Operating System
  • launch-editor: < 2.9.0 (Fixed in: 2.9.0)
  • vite: < 5.4.9 (Fixed in: 5.4.9)

Code Analysis

Commit: 971291e

fix: prevent command injection on Windows by escaping shell arguments in launch-editor

Mitigation Strategies

  • Upgrade launch-editor to version 2.9.0 or higher.
  • Upgrade vite to version 5.4.9 or higher.
  • Enforce strict host header validation and cross-origin controls on development servers.
  • Utilize browser plugins or local firewalls to block cross-origin requests targeting localhost.

Remediation Steps:

  1. Verify the installed launch-editor and vite versions in package-lock.json or yarn.lock.
  2. Run 'npm install launch-editor@latest' or 'npm update vite' to apply security updates.
  3. Restart any running local development servers to apply the patched versions.

References

Read the full report for CVE-2024-52011 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)