CVE-2022-24377: cycle-import-check vulnerable to Command Injection
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.89145%
CWE
Published
12/14/2022
Updated
8/17/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
cycle-import-check | npm | < 1.3.2 | 1.3.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability is explicitly attributed to writeFileToTmpDirAndOpenIt in all advisory sources. The function: 1. Constructs OS commands using exec() with unsanitized user input (filename parameter) 2. Uses string interpolation to build commands like start ${path}
/open ${path}
3. Was completely removed in the patched version (1.3.2) as seen in the commit diff 4. Has a documented PoC demonstrating injection via filename parameter 5. Directly matches CWE-77 command injection pattern of unsafe user input in OS commands