CVE-2024-27980 forces breaking change: child_process.spawn now errors on .bat/.cmd files without explicit shell option on Windows, requires sanitized input or shell:true flag.
Summary
Windows developers using spawn/spawnSync to execute batch files will see EINVAL errors after patching unless they add shell:true or sanitize arguments. This is a mandatory upgrade blocking production deployments.
Why it matters
Windows developers using spawn/spawnSync to execute batch files will see EINVAL errors after patching unless they add shell:true or sanitize arguments. This is a mandatory upgrade blocking production deployments.
Implementation verdict
Replaces unsafe implicit shell invocation with explicit opt-in. Requires: audit spawn calls targeting .bat/.cmd files, add {shell:true} where safe, or sanitize command input. Must upgrade 18.x/20.x/21.x immediately—HIGH severity affects all active lines.
Sources
Dev Signal
Get briefs like this in your inbox — free, every weekday.
100+ sources compressed into one 4-minute read. Ranked, cited, implementation-ready.