Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?


Application Security

‘BatBadBut’ Command Injection Vulnerability Affects Multiple Programming Languages

A critical vulnerability in multiple programming languages allows attackers to inject commands in Windows applications.

Multiple programming languages are impacted by a critical-severity vulnerability leading to command injection in Windows applications, bug hunters at Flatt Security warn.

The issue, named ‘BatBadBut’, exists because the Windows operating system spawns the ‘cmd exe’ process when executing batch (bat) files with the ‘CreateProcess’ function, and programming languages do not properly escape command arguments.

Most programming languages wrap the ‘CreateProcess’ function to offer a more user-friendly interface but fail to properly escape the command arguments passed to the function.

The OS cannot execute batch files without ‘cmd exe’, which “has complicated parsing rules for the command arguments, and programming language runtimes fail to escape the command arguments properly,” Flatt Security researcher RyotaK explains.

Because of this issue, an attacker who can control the command arguments section of the batch file can potentially inject commands into Windows applications.

For that, however, the application needs to execute a command on Windows, it should not specify the command file extension, the attacker needs to control the command arguments, and the programming language’s runtime needs to fail to escape the command arguments for ‘cmd exe’.

“Since Windows includes .bat and .cmd files in the PATHEXT environment variable by default, some runtimes execute batch files against the developers’ intention if there is a batch file with the same name as the command that the developer intended to execute,” RyotaK says.

Most applications, the researcher notes, are not affected by this vulnerability and several mitigations are available. Furthermore, some of the programming languages that were notified of the bug have taken steps to address it, such as adding another escaping mechanism for batch files.

Advertisement. Scroll to continue reading.

According to an advisory from the CERT Coordination Center (CERT/CC) at the Carnegie Mellon University, four different CVE identifiers have been issued for the security defect, namely CVE-2024-1874, CVE-2024-22423, CVE-2024-24576, and CVE-2024-3566, but programming languages are impacted by one or two of them at most.

“If the runtime of your application doesn’t provide a patch for this vulnerability and you want to execute batch files with user-controlled arguments, you will need to perform the escaping and neutralization of the data to prevent any intended command execution,” CERT/CC notes.

To date, the Haskell process library, Rust, Node.js, PHP, and yt-dlp are known to be affected. Haskell, Rust, and yt-dlp have announced patches.

Related: CVE and NVD – A Weak and Fractured Source of Vulnerability Truth

Related: Ray AI Framework Vulnerability Exploited to Hack Hundreds of Clusters

Related: Most Linux Systems Exposed to Complete Compromise via Shim Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights