Miggo Logo
Miggo Vulnerability Database
CVE-2022-25853

CVE-2022-25853: semver-tags is vulnerable to Command Injection via the getGitTagsRemote function

7.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-25853
GHSA ID
GHSA-8h3g-hcwp-6hxq
EPSS Score
0.25917%
CWE
CWE-77
Published
2/6/2023
Updated
2/13/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
semver-tagsnpm<= 0.4.10

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is clearly identified in the getGitTagsRemote function through multiple sources: 1) The GitHub advisory directly references line 21 of get-tags.js which contains the vulnerable command construction. 2) The code shows direct interpolation of the path parameter into a shell command without proper escaping (cp.exec('git ls-remote --tags "' + path + '"')). 3) The Snyk PoC demonstrates exploitation through manipulated path input. 4) CWE-77 classification confirms command injection pattern. Other functions like getGitTags and getSvnTags don't show the same unsanitized input pattern in the provided code snippets.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ll v*rsions o* t** p**k*** s*mv*r-t**s *r* vuln*r**l* to *omm*n* Inj**tion vi* t** **t*itT**sR*mot* *un*tion *u* to improp*r input s*nitiz*tion.

Reasoning

T** vuln*r**ility is *l**rly i**nti*i** in t** `**t*itT**sR*mot*` *un*tion t*rou** multipl* sour**s: *) T** *it*u* **visory *ir**tly r***r*n**s lin* ** o* `**t-t**s.js` w*i** *ont*ins t** vuln*r**l* *omm*n* *onstru*tion. *) T** *o** s*ows *ir**t int*