Skip to main content

cyclonedx-npm CVE-2026-55849

HIGH
OS Command Injection (CWE-78)
2026-06-19 https://github.com/CycloneDX/cyclonedx-node-npm GHSA-v75r-vx73-82pj
8.5
CVSS 4.0 · Vendor: https://github.com/CycloneDX/cyclonedx-node-npm
Share

Severity by source

Vendor (https://github.com/CycloneDX/cyclonedx-node-npm) PRIMARY
8.5 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.8 HIGH

Local dev/CI tool so AV:L; a victim must run the CLI with the poisoned argument giving UI:R; attacker needs no prior privileges (PR:N) and command injection yields full C/I/A as the invoking user.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/CycloneDX/cyclonedx-node-npm).

CVSS VectorVendor: https://github.com/CycloneDX/cyclonedx-node-npm

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jul 08, 2026 - 22:30 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 08, 2026 - 22:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 08, 2026 - 22:22 vuln.today
cvss_changed
CVSS changed
Jul 08, 2026 - 22:22 NVD
8.5 (HIGH)
Source Code Evidence Fetched
Jun 19, 2026 - 21:38 vuln.today
Analysis Generated
Jun 19, 2026 - 21:38 vuln.today

DescriptionCVE.org

Summary

A command injection vulnerability exists in @cyclonedx/cyclonedx-npm when the CLI is invoked with the --workspace <value> option while the environment variable npm_execpath is unset or empty. User‑supplied --workspace values are passed to a subshell without proper sanitization, enabling attackers to inject arbitrary OS commands. This issue corresponds to CWE‑78: Improper Neutralization of Special Elements used in an OS Command.

The vulnerability was fixed in version [5.0.0][v5.0.0].

Vulnerability Details

When cyclonedx-npm is executed with the --workspace option, the provided argument is incorporated into an internal shell command. If the environment variable npm_execpath is set, the tool uses the npm executable directly and no injection occurs. However, when npm_execpath is unset or empty, the tool falls back to spawning a subshell and interpolating the --workspace value directly into the command string without proper escaping or neutralization.

As a result, specially crafted workspace names can break out of the intended command context and execute arbitrary commands with the privileges of the invoking user.

Impact

An attacker who can influence the value passed to --workspace can execute arbitrary OS commands. This may lead to:

  • Arbitrary command execution
  • Data exfiltration
  • Local privilege escalation (depending on how the tool is used)
  • Modification or destruction of files accessible to the user running the CLI

The vulnerability affects only scenarios where:

  • The user invokes cyclonedx-npm with --workspace <value>, and
  • The environment variable npm_execpath is unset or empty

Exploitation Conditions (High‑Level)

Exploitation requires the attacker to supply or influence the --workspace value passed to the CLI. If the tool falls back to its subshell execution path, specially crafted workspace identifiers can cause unintended command execution. No exploit code is included here to avoid providing weaponizable examples.

Root Cause

The CLI constructs a shell command using untrusted input from the --workspace option. Because the fallback code path does not sanitize or escape the workspace value, special shell metacharacters (e.g., ;, &&, |) are interpreted by the shell, enabling command injection.

This behavior matches CWE‑78.

Fix

The vulnerability was resolved in [PR #1476], which ensures that workspace values are handled safely and are no longer passed to a subshell in an unsafe manner.

The fix is included in @cyclonedx/cyclonedx-npm version [5.0.0][v5.0.0].

Remediation

  • Upgrade to version [5.0.0][v5.0.0] or later, which contains the complete fix.
  • As a temporary mitigation for older versions, ensure that the environment variable npm_execpath is set before invoking the tool.
  • Avoid passing untrusted or user‑controlled values to the --workspace option.

[v5.0.0]: https://github.com/CycloneDX/cyclonedx-node-npm/releases/tag/v5.0.0 [PR #1476]: https://github.com/CycloneDX/cyclonedx-node-npm/pull/1476

AnalysisAI

Command injection in the @cyclonedx/cyclonedx-npm SBOM generator (versions >= 2.1.0, < 5.0.0) lets an attacker who controls the value passed to the --workspace CLI option execute arbitrary OS commands when the npm_execpath environment variable is unset or empty. In that fallback path the tool spawns a subshell and interpolates the workspace value into a command string without escaping, so shell metacharacters break out of the intended context and run with the invoking user's privileges. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Influence --workspace value in build/CI config
Delivery
Invoke cyclonedx-npm with npm_execpath unset
Exploit
Metacharacters break out of subshell command
Execution
Arbitrary OS command runs as invoking user
Impact
Data exfiltration or file destruction

Vulnerability AssessmentAI

Exploitation Two concrete conditions must both hold: (1) the cyclonedx-npm CLI is invoked with the --workspace (or -w) option carrying an attacker-influenced value, and (2) the environment variable npm_execpath is unset or empty, which triggers the subshell fallback path in npmRunner.ts (if npm_execpath is set, npm is executed directly and no injection occurs). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The only scored signal provided is a CVSS 4.0 base of 8.5 (High) with vector AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H, indicating a LOCAL attack vector requiring passive user interaction but no attacker privileges, with high confidentiality, integrity and availability impact and no scope change. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario In a CI pipeline that generates an SBOM, an attacker who can influence a project's workspace identifier (for example via a crafted package.json workspace name or a pipeline parameter) supplies a value containing shell metacharacters such as '; <command> ;'. When cyclonedx-npm is invoked with that value as --workspace while npm_execpath is unset, the subshell interprets the metacharacters and runs the attacker's command as the CI/build user. …
Remediation Vendor-released patch: upgrade to @cyclonedx/cyclonedx-npm version 5.0.0 or later, which reworks npm handling to execute npm explicitly rather than through a subshell (a documented BREAKING change per HISTORY.md, so validate your SBOM pipeline after upgrading since npm resolution behavior changed). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Locate all @cyclonedx/cyclonedx-npm installations in versions 2.1.0-4.x and assess whether the --workspace parameter receives untrusted input in your CI/CD pipelines. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

CVE-2026-55849 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy