CVE-2022-41642: 
JavaScript vulnerability analysis and mitigation

OS command injection vulnerability was discovered in Nadesiko3 (PC Version) v3.3.61 and earlier. The vulnerability was identified in December 2022 and assigned CVE-2022-41642. The vulnerability affects the processing of compression and decompression functions in the PC Version of Nadesiko3 (JPCERT).

The vulnerability is classified as an OS command injection (CWE-78) with a CVSS v3.0 base score of 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and CVSS v2 base score of 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P). The issue exists in the compression and decompression processing functionality of the application (JPCERT).

If successfully exploited, an attacker can execute arbitrary OS commands on the affected system when compression and/or decompression functions are executed. This could lead to complete system compromise with the ability to execute unauthorized commands (JPCERT).

The vulnerability has been fixed in subsequent releases. Users are advised to update to the latest version of the software. The fix was implemented through multiple commits (56ccfb2, 61a7079, 124871c) as confirmed by the developer (GitHub Issue).

The vulnerability was discovered during a Security Next Camp event and was responsibly reported by security researcher Satoki Tsuji. The developer acknowledged the report and expressed gratitude for the discovery (GitHub Issue).