Miggo Logo
Miggo Vulnerability Database
CVE-2022-25171

CVE-2022-25171: p4 vulnerable to Command Injection due to improper input sanitization

7.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-25171
GHSA ID
GHSA-jfm8-hwhg-r6gg
EPSS Score
0.65835%
CWE
CWE-78
Published
12/20/2022
Updated
8/17/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
p4npm< 0.0.70.0.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the pre-patch implementation of runCommand in p4.js, which used child_process.exec() with string concatenation to execute p4 commands. This approach allowed command injection through specially crafted arguments, as demonstrated in the Snyk PoC. The patch replaced exec() with spawn() and array-based argument handling, confirming the vulnerability existed in the original runCommand implementation. The function is explicitly referenced in CVE descriptions and security advisories as the injection vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** p**k*** p* ***or* *.*.* is vuln*r**l* to *omm*n* Inj**tion vi* t** run() *un*tion *u* to improp*r input s*nitiz*tion

Reasoning

T** vuln*r**ility st*ms *rom t** pr*-p*t** impl*m*nt*tion o* run*omm*n* in p*.js, w*i** us** **il*_pro**ss.*x**() wit* strin* *on**t*n*tion to *x**ut* p* *omm*n*s. T*is *ppro*** *llow** *omm*n* inj**tion t*rou** sp**i*lly *r**t** *r*um*nts, *s **mons