{"uuid": "7b2806bb-80c9-4ff5-b6fc-b74136938eda", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-c27g-q93r-2cwf", "type": "seen", "source": "https://gist.github.com/alon710/af9fd1f0bf5e15b0603c7992be5645c7", "content": "# CVE-2024-52011: CVE-2024-52011: Remote Command Injection in ViteJS launch-editor\n\n> **CVSS Score:** 7.5\n> **Published:** 2026-06-03\n> **Full Report:** https://cvereports.com/reports/CVE-2024-52011\n\n## Summary\nCVE-2024-52011 is a critical command injection vulnerability in the ViteJS launch-editor utility (versions prior to 2.9.0) affecting Windows environments. Unsanitized command-line arguments can lead to remote code execution on a developer workstation via cross-origin requests targeting the local development server.\n\n## TL;DR\nViteJS launch-editor before version 2.9.0 on Windows fails to validate line numbers parsed from filenames, allowing remote attackers to trigger arbitrary command execution on developer workstations via cross-origin HTTP requests targeting the local development server.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-77\n- **Attack Vector**: Network / Cross-Origin HTTP Request\n- **CVSS Score**: 7.5 (High)\n- **EPSS Score**: 0.0006\n- **Impact**: Remote Code Execution (RCE)\n- **Exploit Status**: Proof-of-Concept Available\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Vite Development Server\n- launch-editor (npm package)\n- Windows Operating System\n- **launch-editor**: < 2.9.0 (Fixed in: `2.9.0`)\n- **vite**: < 5.4.9 (Fixed in: `5.4.9`)\n\n## Mitigation\n\n- Upgrade launch-editor to version 2.9.0 or higher.\n- Upgrade vite to version 5.4.9 or higher.\n- Enforce strict host header validation and cross-origin controls on development servers.\n- Utilize browser plugins or local firewalls to block cross-origin requests targeting localhost.\n\n**Remediation Steps:**\n1. Verify the installed launch-editor and vite versions in package-lock.json or yarn.lock.\n2. Run 'npm install launch-editor@latest' or 'npm update vite' to apply security updates.\n3. Restart any running local development servers to apply the patched versions.\n\n## References\n\n- [GitHub Security Advisory GHSA-c27g-q93r-2cwf](https://github.com/vitejs/launch-editor/security/advisories/GHSA-c27g-q93r-2cwf)\n- [NVD - CVE-2024-52011](https://nvd.nist.gov/vuln/detail/CVE-2024-52011)\n- [CVE Org Authority Record - CVE-2024-52011](https://www.cve.org/CVERecord?id=CVE-2024-52011)\n- [Official Fix Commit](https://github.com/vitejs/launch-editor/commit/971291e8a6a91226e1616c5c0ec85423d2d50a5e)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2024-52011) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-03T19:00:57.000000Z"}