Miggo Logo
Miggo Vulnerability Database
CVE-2022-1537

CVE-2022-1537:
Race Condition in Grunt

7

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-1537
GHSA ID
GHSA-rm36-94g8-835r
EPSS Score
0.40503%
CWE
CWE-367
Published
5/11/2022
Updated
4/6/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
gruntnpm< 1.5.31.5.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff shows the vulnerability was in the file.copy function's handling of destination symlinks. The removed code performed a non-atomic check-and-unlink pattern (CWE-367), while the patch moved symlink detection to later in the process. The NVD description explicitly references file.copy operations as the vulnerability source, and the GitHub advisory links to a commit that specifically modifies this function's symlink handling.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*il*.*opy op*r*tions in *runtJS *r* vuln*r**l* to * TO*TOU r*** *on*ition l***in* to *r*itr*ry *il* writ* in *it*u* r*pository *runtjs/*runt prior to *.*.*. T*is vuln*r**ility is **p**l* o* *r*itr*ry *il* writ*s w*i** **n l*** to lo**l privil*** *s**

Reasoning

T** *ommit *i** s*ows t** vuln*r**ility w*s in t** `*il*.*opy` *un*tion's **n*lin* o* **stin*tion symlinks. T** r*mov** *o** p*r*orm** * non-*tomi* ****k-*n*-unlink p*tt*rn (*W*-***), w*il* t** p*t** mov** symlink **t**tion to l*t*r in t** `pro**ss`.