CVE-2024-3566

Name: CVE-2024-3566
Creator: NVD / NIST
Published: 2024-04-10T16:15:16.083+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10EPSS 6.88%

Last modified Jun 17, 2026

CVE-2024-3566 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.. EPSS estimates a 6.88% chance of exploitation in the next 30 days.

Description

A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

6.88%

93.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-77

Affected Software

Vendor	Product	Versions
Haskell	Process Library	< 1.6.19.0
Nodejs	Node.Js	< 18.20.2
Nodejs	Node.Js	>= 19.0.0, < 20.12.2
Nodejs	Node.Js	>= 21.0.0, < 21.7.3
Php	Php	< 8.1.28
Php	Php	>= 8.2.0, < 8.2.18
Php	Php	>= 8.3.0, < 8.3.6
Rust-Lang	Rust	< 1.77.2
Yt-Dlp Project	Yt-Dlp	>= 2021.04.11, < 2024.04.09

References

https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/Exploit, Third Party Advisory
https://kb.cert.org/vuls/id/123335Third Party Advisory
https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-wayTechnical Description
https://www.cve.org/CVERecord?id=CVE-2024-1874Not Applicable
https://www.cve.org/CVERecord?id=CVE-2024-22423Not Applicable
https://www.cve.org/CVERecord?id=CVE-2024-24576Not Applicable
https://www.kb.cert.org/vuls/id/123335Not Applicable
https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/Exploit, Third Party Advisory
https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2024/CVE-2024-3566Third Party Advisory
https://kb.cert.org/vuls/id/123335Third Party Advisory
https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-wayTechnical Description
https://www.cve.org/CVERecord?id=CVE-2024-1874Not Applicable
https://www.cve.org/CVERecord?id=CVE-2024-22423Not Applicable
https://www.cve.org/CVERecord?id=CVE-2024-24576Not Applicable
https://www.kb.cert.org/vuls/id/123335Not Applicable

Timeline

Published: Apr 10, 2024
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2024-3566?

A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.

How severe is CVE-2024-3566?

CVE-2024-3566 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 6.88% probability of exploitation in the next 30 days.

How do I fix CVE-2024-3566?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-3566?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST