CVE-2022-3008: 
NixOS vulnerability analysis and mitigation

The tinygltf library, prior to version 2.6.0, contains a command injection vulnerability (CVE-2022-3008) discovered in August 2022. The vulnerability exists in the library's file path expansion functionality, where it uses the C library function wordexp() to perform file path expansion on untrusted paths provided from input files (NVD, Debian Security).

The vulnerability stems from the improper use of the wordexp() function for file path expansion on untrusted paths. This function allows for command injection through the use of backticks in the input path. The issue has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating a high-severity vulnerability with potential for significant impact (NVD).

If exploited, this vulnerability allows attackers to execute arbitrary commands by crafting malicious input files containing specially formatted paths. The high CVSS score reflects the potential for complete compromise of system confidentiality, integrity, and availability through command execution (NVD).

The vulnerability has been fixed in tinygltf version 2.6.0 and later versions. Users are recommended to upgrade to version 2.6.0 or apply the patch from commit 52ff00a38447f06a17eab1caa2cf0730a119c751. For systems unable to upgrade immediately, the fix involves disabling the file path expansion functionality for security reasons (GitHub Commit).