VYPR
← All advisories
Critical severityNVD Advisory· Published Dec 15, 2022· Updated Apr 17, 2025

Command Injection

CVE-2022-24377

Description

Command injection vulnerability in cycle-import-check before 1.3.2 allows arbitrary command execution via the writeFileToTmpDirAndOpenIt function due to unsanitized user input.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Command injection vulnerability in cycle-import-check before 1.3.2 allows arbitrary command execution via the writeFileToTmpDirAndOpenIt function due to unsanitized user input.

Vulnerability

Overview

The package cycle-import-check versions before 1.3.2 contain a command injection vulnerability in the writeFileToTmpDirAndOpenIt function. The function constructs a file path using user-supplied input (the filename parameter) and passes it to the exec() call without proper sanitization. This allows an attacker to inject arbitrary operating system commands by including shell metacharacters in the filename [1]. The vulnerable code, which was removed in commit 1ca97b59df7e9c704471fcb4cf042ce76d7c9890, directly concatenated the filename into a command string executed by exec() [3].

Exploitation

Exploitation requires no authentication or special privileges beyond the ability to call the vulnerable function. An attacker can provide a malicious filename containing command separators such as & or ; to execute arbitrary commands. A proof-of-concept demonstrated by Snyk shows that calling writeFileToTmpDirAndOpenIt("& touch JHU ", "aaa") results in the execution of the injected touch command [4]. The attack surface is limited to systems where an attacker can influence the filename argument of this function, either directly (e.g., via an API) or indirectly (e.g., through a configuration file).

Impact

Successful exploitation allows an attacker to execute arbitrary commands with the privileges of the application or user running the vulnerable code. This can lead to complete compromise of the affected system, including data exfiltration, installation of malware, or denial of service [4]. The vulnerability is classified as critical with a CVSS v3.1 base score of 9.8, reflecting the low attack complexity and network-based attack vector [1].

Mitigation

The vulnerability has been patched in version 1.3.2 of cycle-import-check. Users should upgrade to this version or later to remediate the issue [4]. The patch removes the vulnerable writeFileToTmpDirAndOpenIt function entirely [2][3]. No workarounds are available for earlier versions.

References
  1. NVD - CVE-2022-24377
  2. GitHub - Soontao/cycle-import-check: JS module circular dependency check tool
  3. chore: dep update · Soontao/cycle-import-check@1ca97b5
  4. Snyk Vulnerability Database | Snyk

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
cycle-import-checknpm
< 1.3.21.3.2

Affected products

2

Patches

1
1ca97b59df7e

chore: dep update

https://github.com/Soontao/cycle-import-checkTheo SunNov 16, 2022via ghsa
commit
2 files changed · +5 22
  • src/file.ts+5 20 modified
    @@ -1,22 +1,16 @@
-import { Extension, ScanResult, ReportVO, PackageJson, FileImportDescription } from "./type";
+import { concat, filter, isArray, isString, join as arrayJoin, keys, map } from "@newdash/newdash";
+import { includes } from "@newdash/newdash/includes";
+import { readFileSync } from "fs";
 import { sync } from "glob";
-import { join as pathJoin, dirname, join, normalize, relative } from "path";
-import { join as arrayJoin, map, isArray, isString, concat, filter, keys } from "@newdash/newdash";
-import { includes } from "@newdash/newdash/includes"
-import { readFileSync, writeFileSync, existsSync } from "fs";
+import { dirname, join, join as pathJoin, normalize, relative } from "path";
 import { cwd } from "process";
-import { tmpdir, platform } from "os";
-import { exec } from "child_process";
+import { Extension, FileImportDescription, PackageJson, ReportVO, ScanResult } from "./type";
 
 require.extensions[".ts"] = require.extensions[".js"]
 require.extensions[".jsx"] = require.extensions[".js"]
 require.extensions[".tsx"] = require.extensions[".js"]
 require.extensions[".mjs"] = require.extensions[".js"]
 
-const extensions = [
-  "js", "jsx", "ts", "tsx", "mjs"
-]
-
 const { resolve } = require
 
 export const allDependencies = (absPath: string) => {
@@ -120,12 +114,3 @@ export const mapScanResultToReportVO = (result: ScanResult): ReportVO => {
   return rt;
 }
 
-export const writeFileToTmpDirAndOpenIt = (filename: string, content: string) => {
-  const path = join(tmpdir(), filename);
-  writeFileSync(path, content);
-  if (platform() === "win32") {
-    exec(`start ${path}`)
-  } else {
-    exec(`open ${path}`)
-  }
-}
  • src/index.ts+0 2 modified
    @@ -2,7 +2,5 @@
 
 export { scanDirectoryWithResult } from "./scanner"
 
-export { writeFileToTmpDirAndOpenIt } from "./file"
-
 export { calculateCycleImport } from "./graph"

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.