CVE-2024-48963: 
JavaScript vulnerability analysis and mitigation

The Snyk CLI package versions before 1.1294.0 contain a Code Injection vulnerability (CVE-2024-48963) when scanning untrusted PHP projects. The vulnerability was discovered and disclosed on October 23, 2024, affecting the Snyk CLI software package. The issue occurs when running Snyk test inside an untrusted project due to improper handling of the current working directory name (NVD, CVE).

The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Snyk's own assessment rates it with a CVSS v3.1 score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (NVD).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code through code injection when the Snyk CLI is used to scan untrusted PHP projects. The vulnerability affects the confidentiality, integrity, and availability of the system with high severity ratings across all three aspects (NVD).

The primary mitigation is to upgrade to Snyk CLI version 1.1294.0 or later. Additionally, Snyk recommends only scanning trusted projects as a security measure. A fix has been released in the snyk-php-plugin version 1.10.0 (Release Notes).