Command Injection
Description
The package cocoapods-downloader before 1.6.2 are vulnerable to Command Injection via hg argument injection. When calling the download function (when using hg), the url (and/or revision, tag, branch) is passed to the hg clone command in a way that additional flags can be set. The additional flags can be used to perform a command injection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
cocoapods-downloader before 1.6.2 allows command injection through Mercurial (hg) argument injection when downloading packages.
Vulnerability
The cocoapods-downloader Ruby gem prior to version 1.6.2 is vulnerable to command injection via argument injection in the Mercurial (hg) downloader. When the download function is invoked for an hg source, parameters such as url, revision, tag, or branch are passed to the hg clone command without proper sanitization, allowing an attacker to inject additional flags and arbitrary commands [1][2].
Exploitation
An attacker must supply a crafted hg source URL (or revision/tag/branch option) that includes Mercurial command-line flags. When the downloader executes hg clone with the attacker-controlled parameters, the extra flags can be used to perform command injection. This requires the user of the library to download a package from an untrusted source, such as a malicious CocoaPods spec [1][2].
Impact
Successful exploitation allows the attacker to execute arbitrary commands on the machine where cocoapods-downloader is used. The commands run with the privileges of the user invoking the downloader, leading to potential full compromise of the development or CI environment [1][2].
Mitigation
The vulnerability is fixed in cocoapods-downloader version 1.6.2, released on 2022-03-28 [1][2][4]. Users should upgrade to 1.6.2 or later. The fix ensures that invalid input is checked inside the download function before constructing the shell command [4]. No workaround is available.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
cocoapods-downloaderRubyGems | < 1.6.2 | 1.6.2 |
Affected products
2- cocoapods-downloader/cocoapods-downloaderdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-g397-v4w5-4m79ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-21223ghsaADVISORY
- github.com/CocoaPods/cocoapods-downloader/pull/127ghsax_refsource_MISCWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/cocoapods-downloader/CVE-2022-21223.ymlghsaWEB
- snyk.io/vuln/SNYK-RUBY-COCOAPODSDOWNLOADER-2414280ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.