From 059387a8ddf4db27fb9a54b7c8f4a5da46e7f23b Mon Sep 17 00:00:00 2001
From: "Node.js GitHub Bot" <github-bot@iojs.org>
Date: Mon, 15 Sep 2025 17:18:19 +0000
Subject: [PATCH] Sync security vulnerabilities

---
 vuln/core/141.json | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/vuln/core/141.json b/vuln/core/141.json
index b8f69e381..d5f637cba 100644
--- a/vuln/core/141.json
+++ b/vuln/core/141.json
@@ -4,10 +4,11 @@
   ],
   "vulnerable": "18.x || 20.x || 21.x",
   "patched": "^18.20.2 || ^20.12.2 || ^21.7.3",
-  "ref": "https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2/",
+  "ref": "https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2",
+  "description": "Command injection via args parameter of child_process.spawn without shell option enabled on Windows",
   "overview": "Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.",
   "affectedEnvironments": [
     "win32"
   ],
-  "severity": "medium"
+  "severity": "high"
 }