CVE-2022-29080

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions npm-dependency-versions versions 0.3.0 and earlier

Description The issue is related to insufficient argument checking in the npm-dependency-versions package, which can lead to command injection. An attacker can exploit this by calling dependencyVersions with a JSON object containing a pkgs key and shell metacharacters in a value, potentially allowing remote execution of arbitrary commands.

Recommendations For versions 0.3.0 and earlier, consider disabling the dependencyVersions function until a patch is available to prevent command injection attacks. Restrict access to the dependencyVersions function to minimize the risk of exploitation. Avoid using the pkgs key in the JSON object passed to the dependencyVersions function until the issue is resolved.

Exploit

Fix

OS Command Injection

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78CWE-77

Related Identifiers

BDU:2022-04361

CVE-2022-29080

GHSA-M7XQ-8JP8-RJ2C

Affected Products

Npm-Dependency-Versions

CVE-2022-29080

Weakness Enumeration

Related Identifiers

Affected Products

References · 8