CVE-2022-25908

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions create-choo-electron versions all

Description The issue arises from improper user-input sanitization, making all versions of the package susceptible to Command Injection via the devInstall function.

Recommendations For all versions, consider disabling the devInstall function as a temporary workaround until a patch is available. Restrict access to the devInstall function to minimize the risk of exploitation. Avoid using user-input in the devInstall function until the issue is resolved.

Exploit

Fix

OS Command Injection

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78CWE-77

Related Identifiers

CVE-2022-25908

GHSA-J8WR-FWF2-VVR9

Affected Products

Create-Choo-Electron

CVE-2022-25908

Weakness Enumeration

Related Identifiers

Affected Products

References · 4