Arbitrary Command Injection
Description
The package @acrontum/filesystem-template before 0.0.2 are vulnerable to Arbitrary Command Injection due to the fetchRepo API missing sanitization of the href field of external input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
@acrontum/filesystem-template before 0.0.2 has an arbitrary command injection vulnerability in the fetchRepo API due to unsanitized href input.
The package @acrontum/filesystem-template before version 0.0.2 is vulnerable to arbitrary command injection in its fetchRepo API [1][2]. The vulnerability stems from the lack of sanitization of the href field when processing external input, allowing an attacker to inject malicious commands [1][2].
An attacker can exploit this by supplying a crafted URL or recipe file containing a specially designed href value. When the fetchRepo function processes this input, it executes arbitrary commands on the system without proper validation [3][4]. The vulnerable code path originally accepted a URL directly and used it unsanitized [4].
Successful exploitation enables an attacker to execute arbitrary commands, potentially leading to full system compromise, data theft, or further lateral movement within the environment [2].
The issue has been fixed in version 0.0.2 by removing the URL parameter from fetchRepo and implementing proper input validation [3][4]. Users are advised to update to the latest version to mitigate the risk.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@acrontum/filesystem-templatenpm | < 0.0.2 | 0.0.2 |
Affected products
3- acrontum/filesystem-templatedescription
- Range: <0.0.2
Patches
1baeb727b6099remove url from fetch repo
1 file changed · +3 −3
src/lib/file-utils.ts+3 −3 modified@@ -162,7 +162,7 @@ export const fetchSource = async (pathlike: string, options?: SourceOptions): Pr const cache = getCacheDir(url); if (!sourceCache[cache?.path]) { - sourceCache[cache?.path] = isRecipeFile(url.pathname) ? fetchRecipe(url, cache, options) : fetchRepo(url, cache, options); + sourceCache[cache?.path] = isRecipeFile(url.pathname) ? fetchRecipe(url, cache, options) : fetchRepo(cache, options); } else { logger.log(`cache hit on ${cache?.path}`); } @@ -237,7 +237,7 @@ export const fetchRecipe = async (url: URL, cacheInfo: CacheInfo, options?: Sour * * @return {Promise<string>} The repo. */ -export const fetchRepo = async (url: URL, cacheInfo: CacheInfo, options?: SourceOptions): Promise<string> => { +export const fetchRepo = async (cacheInfo: CacheInfo, options?: SourceOptions): Promise<string> => { let branch = cacheInfo.branch; const { path: repo, origin, repoName } = cacheInfo; @@ -247,7 +247,7 @@ export const fetchRepo = async (url: URL, cacheInfo: CacheInfo, options?: Source return repo; } - logger.debug({ url, branch, repo, origin }); + logger.debug({ branch, repo, origin }); logger.info(`will clone ${branch ? `${logger.blu(branch)} of ` : ''}${logger.ylw(origin)} into ${logger.grn(repoName)}`); const cwd = repo;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-m2fc-9h5m-29cmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-21186ghsaADVISORY
- github.com/acrontum/filesystem-template/commit/baeb727b60991ad82d9e63ac660883793abc0accghsaWEB
- github.com/acrontum/filesystem-template/issues/13ghsaWEB
- github.com/acrontum/filesystem-template/pull/14/commits/baeb727b60991ad82d9e63ac660883793abc0accghsax_refsource_MISCWEB
- security.snyk.io/vuln/SNYK-JS-ACRONTUMFILESYSTEMTEMPLATE-2419071ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.