launch-editor allows users to open files with line numbers in editor from Node.js. Prior to version 2.9.0, due to the insufficient sanitization of the file argument in the launchEditor, an attacker can execute arbitrary commands on Windows by supplying a filename that contains special characters. This issue has been fixed in the launch-editor version 2.9.0, corresponding to vite version 5.4.9.
Exploitability
AV:NAC:LAT:PPR:NUI:AVulnerable System
VC:HVI:HVA:HSubsequent System
SC:NSI:NSA:N7.5/CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NInput Validation