chore(deps): update dependency @cyclonedx/cyclonedx-npm to v5 [security]#4497
Open
renovate[bot] wants to merge 1 commit into
Open
chore(deps): update dependency @cyclonedx/cyclonedx-npm to v5 [security]#4497renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
8f7e271 to
c94f23d
Compare
c94f23d to
bfe0e8d
Compare
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



This PR contains the following updates:
^4.2.1→^5.0.0Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
@cyclonedx/cyclonedx-npm: Shell Injection via Unsanitized --workspace Argument
CVE-2026-55849 / GHSA-v75r-vx73-82pj
More information
Details
Summary
A command injection vulnerability exists in
@cyclonedx/cyclonedx-npmwhen the CLI is invoked with the--workspace <value>option while the environment variablenpm_execpathis unset or empty.User‑supplied
--workspacevalues are passed to a subshell without proper sanitization, enabling attackers to inject arbitrary OS commands.This issue corresponds to CWE‑78: Improper Neutralization of Special Elements used in an OS Command.
The vulnerability was fixed in version 5.0.0.
Vulnerability Details
When
cyclonedx-npmis executed with the--workspaceoption, the provided argument is incorporated into an internal shell command.If the environment variable
npm_execpathis set, the tool uses the npm executable directly and no injection occurs.However, when
npm_execpathis unset or empty, the tool falls back to spawning a subshell and interpolating the--workspacevalue directly into the command string without proper escaping or neutralization.As a result, specially crafted workspace names can break out of the intended command context and execute arbitrary commands with the privileges of the invoking user.
Impact
An attacker who can influence the value passed to
--workspacecan execute arbitrary OS commands.This may lead to:
The vulnerability affects only scenarios where:
cyclonedx-npmwith--workspace <value>, andnpm_execpathis unset or emptyExploitation Conditions (High‑Level)
Exploitation requires the attacker to supply or influence the
--workspacevalue passed to the CLI.If the tool falls back to its subshell execution path, specially crafted workspace identifiers can cause unintended command execution.
No exploit code is included here to avoid providing weaponizable examples.
Root Cause
The CLI constructs a shell command using untrusted input from the
--workspaceoption.Because the fallback code path does not sanitize or escape the workspace value, special shell metacharacters (e.g.,
;,&&,|) are interpreted by the shell, enabling command injection.This behavior matches CWE‑78.
Fix
The vulnerability was resolved in PR #1476, which ensures that workspace values are handled safely and are no longer passed to a subshell in an unsafe manner.
The fix is included in
@cyclonedx/cyclonedx-npmversion 5.0.0.Remediation
npm_execpathis set before invoking the tool.--workspaceoption.Severity
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
CycloneDX/cyclonedx-node-npm (@cyclonedx/cyclonedx-npm)
v5.0.0Compare Source
npmis now executed explicitly rather than through a subshell.The behavior when
npm_execpathis present remains unchanged.--workspaceargument (via #1476)See GHSA-v75r-vx73-82pj
Configuration
📅 Schedule: (in timezone Europe/Berlin)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.