Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled. Impact: Thank you, to ryotak for reporting this vulnerability and thank you Ben Noordhuis for fixing it. Summary The Node.js project will release new versions of the 18.x, 20.x, 21.x releases lines on or shortly after, Tuesday, April 9, 2024 in order to address: