CVE-2022-45145: 
NixOS vulnerability analysis and mitigation

CVE-2022-45145 affects CHICKEN versions 5.x before 5.3.1, specifically the egg-compile.scm component. The vulnerability was discovered by Vasilij and disclosed on November 11, 2022. This security flaw allows arbitrary OS command execution during package installation through escape characters in .egg files (GNU List, NVD).

The vulnerability stems from improper handling of escape characters in .egg files during the installation of extension packages. The issue is specifically related to how egg metadata is created and installed in the local egg repository during the install-stage. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD).

The vulnerability allows attackers to execute arbitrary OS commands during package installation, potentially leading to complete system compromise. The high CVSS score reflects the severe potential impact on system confidentiality, integrity, and availability (NVD).

The issue has been fixed in commit a08f8f548d772ef410c672ba33a27108d8d434f3. Users should upgrade to CHICKEN version 5.3.1 or later. Additionally, it is recommended to verify *.egg files for possible shell escape characters before including their access information in the centralized egg-locations file (GNU List).