Miggo Logo
Miggo Vulnerability Database
CVE-2022-25962

CVE-2022-25962: Command injection in vagrant.js

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-25962
GHSA ID
GHSA-54jw-jqr9-6cj9
EPSS Score
0.7103%
CWE
CWE-77
Published
1/26/2023
Updated
2/3/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
vagrant.jsnpm<= 0.0.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. All vulnerability sources explicitly name boxAdd as the vulnerable entry point
  2. The Snyk PoC demonstrates command injection via boxAdd parameters
  3. CWE-77 classification confirms command injection pattern
  4. The function's purpose (managing Vagrant boxes) inherently requires executing system commands
  5. Lack of input sanitization mentioned in all descriptions matches command injection vulnerability patterns

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ll v*rsions o* t** p**k*** v**r*nt.js *r* vuln*r**l* to *omm*n* Inj**tion vi* t** *ox*** *un*tion *u* to improp*r input s*nitiz*tion.

Reasoning

*. *ll vuln*r**ility sour**s *xpli*itly n*m* *ox*** *s t** vuln*r**l* *ntry point *. T** Snyk Po* **monstr*t*s *omm*n* inj**tion vi* *ox*** p*r*m*t*rs *. *W*-** *l*ssi*i**tion *on*irms *omm*n* inj**tion p*tt*rn *. T** *un*tion's purpos* (m*n**in* V**