CVE-2022-21129
Description
Command injection in nemo-appium before 0.0.9 due to unsanitized input in the setup function, requiring appium-running 0.1.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Command injection in nemo-appium before 0.0.9 due to unsanitized input in the setup function, requiring appium-running 0.1.3.
Analysis
Versions of the nemo-appium package before 0.0.9 are vulnerable to Command Injection because the module.exports.setup function does not properly sanitize the apath argument, which is passed to the operating system for execution [1][3]. The fix introduced in commit aa271d36 validates that the path ends with 'appium' and contains no spaces, preventing injection of arbitrary commands [2].
To exploit the vulnerability, an attacker must be able to control the apath parameter, and the vulnerable dependency appium-running version 0.1.3 must be present [1][3]. A proof-of-concept shows that providing a string such as 'touch EXPLOITED' to the setup function results in arbitrary command execution [3].
The impact is high, as an attacker can execute arbitrary OS commands on the system where nemo-appium runs, potentially leading to complete compromise of the application or host [3]. The CVSS score reflects the critical nature of this vulnerability [1].
Users should upgrade to nemo-appium version 0.0.9 or later, which includes the input validation fix and pins the dependency to a safe version [2][3][4]. No workarounds are documented; upgrading is the recommended mitigation. This vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nemo-appiumnpm | < 0.0.9 | 0.0.9 |
Affected products
2- nemo-appium/nemo-appiumdescription
Patches
1aa271d36dd5cprevent OS commands from being injected
3 files changed · +8 −2
index.js+5 −0 modified@@ -8,6 +8,11 @@ var error = debug('nemo-appium:error'); module.exports.setup = function (apath, nemo, cb) { + // validate apath since we are going to execute it + // should end in appium, and contain no spaces + if (apath.indexOf('appium') !== apath.length - 6 || apath.indexOf(' ') > -1) { + return cb(new Error('Invalid path to appium executable')) + } var once = function () { cb.apply(null, arguments); once = function () {
package.json+1 −1 modified@@ -23,7 +23,7 @@ }, "homepage": "https://github.com/paypal/nemo-appium#readme", "dependencies": { - "appium-running": "^0.1.3", + "appium-running": "0.1.3", "debug": "^2.2.0" } }
test/index.js+2 −1 modified@@ -1,10 +1,11 @@ var naPlugin = require('../index'); var nemo = {}; ///Users/medelman/.nvm/current/bin/appium -var appiumPath = process.env.APPIUM_PATH; +var appiumPath ='touch HACKED && ~/bin/appium'; naPlugin.setup(appiumPath, nemo, function (err, out) { if (err) { + console.log('You want to see this error. It means the setup function is validating the appium path for potential OS commands'); return console.error(err); } setTimeout(function () {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-c6rx-gxqv-vr5jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-21129ghsaADVISORY
- github.com/paypal/nemo-appium/blob/master/index.js%23L27ghsaWEB
- github.com/paypal/nemo-appium/commit/aa271d36dd5c81baae3c43aa2616c84f0ee4195fghsaWEB
- security.snyk.io/vuln/SNYK-JS-NEMOAPPIUM-3183747ghsaWEB
News mentions
0No linked articles in our index yet.