9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-25865

GHSA ID

GHSA-5875-m6jq-vf78

EPSS Score

0.80389%

CWE

CWE-77

Published

5/14/2022

Updated

2/2/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-25865

CVE-2022-25865: Command injection in workspace-tools

The package workspace-tools before 0.18.4 is vulnerable to Command Injection via git argument injection. When calling the fetchRemoteBranch(remote: string, remoteBranch: string, cwd: string) function, both the remote and remoteBranch parameters are passed to the git fetch subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-25865

GHSA ID

GHSA-5875-m6jq-vf78

EPSS Score

0.80389%

CWE

CWE-77

Published

5/14/2022

Updated

2/2/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
workspace-tools	npm	< 0.18.4	0.18.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The commit diff shows both functions were patched by adding '--' argument separation in git fetch calls. This indicates they previously allowed injecting flags via user-controlled parameters (remote/remoteBranch). The CVE description explicitly implicates fetchRemoteBranch, while fetchRemote shares the same vulnerable pattern. The Snyk PoC demonstrates exploitation via parameter manipulation, and the fix confirms both were attack vectors.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** p**k*** worksp***-tools ***or* *.**.* is vuln*r**l* to *omm*n* Inj**tion vi* *it *r*um*nt inj**tion. W**n **llin* t** **t**R*mot**r*n**(r*mot*: strin*, r*mot**r*n**: strin*, *w*: strin*) *un*tion, *ot* t** r*mot* *n* r*mot**r*n** p*r*m*t*rs *r* p

Reasoning

T** *ommit *i** s*ows *ot* `*un*tions` w*r* p*t**** *y ***in* '--' *r*um*nt s*p*r*tion in `*it **t**` **lls. T*is in*i**t*s t**y pr*viously *llow** inj**tin* *l**s vi* us*r-*ontroll** p*r*m*t*rs (`r*mot*/r*mot**r*n**`). T** *V* **s*ription *xpli*itly

9.8

Basic Information

Concerned about an active attack path?

CVE-2022-25865: Command injection in workspace-tools

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI