CVE-2022-25890: wifey vulnerable to Command Injection due to improper input sanitization
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.64544%
CWE
Published
1/9/2023
Updated
1/29/2023
KEV Status
No
Technology
JavaScript
JavaScriptTechnical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| wifey | npm | <= 2.0.7 |
Vulnerability Intelligence
Miggo AI
Miggo AIRoot Cause Analysis
- Multiple sources (GitHub Advisory, NVD, Snyk) explicitly name the connect() function as the injection vector
- The provided PoC demonstrates command injection through the SSID parameter passed to connect()
- CWE-78 mapping confirms OS command injection pattern
- Vulnerability manifests when user-controlled input flows into system commands without validation
- While file path isn't disclosed in available data, the function name and attack pattern are clearly identified across all sources