CVE-2022-3008

Name of the Vulnerable Software and Affected Versions tinygltf versions prior to 2.6.0

Description The tinygltf library has an issue related to the use of the C library function wordexp() for file path expansion on untrusted paths from input files. This allows for command injection using backticks. An attacker could craft a malicious path input to exploit this, potentially leading to arbitrary code execution by sending specially formed commands.

Recommendations For versions prior to 2.6.0, upgrade to version 2.6.0 or apply the changes from commit 52ff00a38447f06a17eab1caa2cf0730a119c751 to resolve the issue. As a temporary workaround, consider restricting the use of the wordexp() function until a patch is applied.