PatchSiren cyber security CVE debrief
CVE-2024-52011 vitejs CVE debrief
CVE-2024-52011 is a command injection vulnerability in the launch-editor npm package, affecting versions prior to 2.9.0. The flaw exists in the `launchEditor` function's insufficient sanitization of the `file` argument on Windows systems. An attacker can execute arbitrary commands by supplying a crafted filename containing special characters. This vulnerability is particularly relevant for development environments using Vite, as the fix corresponds to Vite version 5.4.9. The CVSS 4.0 vector indicates network attack vector with low attack complexity, requiring no privileges but user interaction, with high impact on confidentiality, integrity, and availability. The weakness is categorized as CWE-77 (Command Injection). The vulnerability was disclosed via GitHub Security Advisories and has been addressed with a patch commit.
- Vendor
- vitejs
- Product
- launch-editor
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-01
- Original CVE updated
- 2026-06-02
- Advisory published
- 2026-06-01
- Advisory updated
- 2026-06-02
Who should care
Development teams using launch-editor or Vite in their build tooling, particularly on Windows environments. Security teams responsible for software composition analysis and dependency management in JavaScript/TypeScript projects. Organizations with developer workstations running Windows where compromised development dependencies could lead to code execution.
Technical summary
The launch-editor package provides functionality to open files with line numbers in an editor from Node.js applications. Prior to version 2.9.0, the `launchEditor` function fails to properly sanitize the `file` argument on Windows platforms. This insufficient input validation allows an attacker to inject arbitrary commands through specially crafted filenames containing shell metacharacters. The vulnerability is exploitable when user-controlled input reaches the launchEditor function without adequate sanitization. The issue has been remediated in launch-editor 2.9.0, which is incorporated into Vite 5.4.9. The CVSS 4.0 score of 7.5 (HIGH) reflects significant impact potential with network accessibility, though requiring user interaction for exploitation.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade launch-editor to version 2.9.0 or later, or upgrade Vite to version 5.4.9 or later
- Audit applications using launch-editor for unsanitized user input passed to the launchEditor function
- On Windows systems, validate and sanitize filename inputs before passing to launch-editor, rejecting special characters that could enable command injection
- Review development environment configurations for exposure of launch-editor functionality to untrusted input
- Monitor for updates to launch-editor and Vite dependencies in package management workflows
Evidence notes
Vulnerability description sourced from NVD record and GitHub Security Advisory GHSA-c27g-q93r-2cwf. Patch commit 971291e8a6a91226e1616c5c0ec85423d2d50a5e confirms fix in launch-editor 2.9.0. CVSS 4.0 vector from NVD metadata. CWE-77 classification from [email protected] source.
Official resources
2026-06-01