CVE-2022-25853: 
JavaScript vulnerability analysis and mitigation

All versions of the package semver-tags are vulnerable to Command Injection via the getGitTagsRemote function due to improper input sanitization. The vulnerability was discovered and disclosed on December 19, 2022, and was assigned CVE-2022-25853. This security flaw affects all versions of the semver-tags package running on Node.js (Snyk Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) by NVD with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The flaw is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command Injection). The vulnerability exists in the getGitTagsRemote function where improper input sanitization allows for command injection attacks (NVD).

The vulnerability can lead to a complete compromise of system confidentiality, integrity, and availability within the scope of the affected component. An attacker who successfully exploits this vulnerability could execute arbitrary commands on the target system, potentially leading to unauthorized access, data manipulation, or service disruption (Snyk Advisory).

Currently, there is no fixed version available for the semver-tags package. Users are advised to assess their exposure to this vulnerability and consider alternative packages or implementing additional security controls to prevent command injection attacks (Snyk Advisory).