VYPR
← All advisories
High severityNVD Advisory· Published Dec 21, 2022· Updated Apr 16, 2025

Command Injection

CVE-2022-25171

Description

Command injection in the p4 npm package before 0.0.7 due to unsanitized input to the run() function, allowing arbitrary command execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Command injection in the p4 npm package before 0.0.7 due to unsanitized input to the run() function, allowing arbitrary command execution.

Vulnerability

Overview

CVE-2022-25171 is a command injection vulnerability in the p4 npm package (versions before 0.0.7). The package provides a utility library for interacting with Perforce version control. The flaw exists in the run() function, which passes user-supplied arguments directly to the child_process.exec() call without proper sanitization, as shown in the source code [1][2]. Specifically, the command is constructed by concatenating the string "p4 " with the command and arguments, allowing an attacker to inject additional shell commands via crafted input.

Exploitation

Details

An attacker can exploit this vulnerability by providing a malicious argument to the run() function, such as a command appended with shell metacharacters (e.g., ;, |, or &&). Because the exec() function spawns a shell, the injected commands will be executed alongside the intended p4 command. No authentication is required if the attacker can control the input passed to the vulnerable function; this could occur through a web interface or other application that uses the p4 package with unvalidated user data.

Impact

Successful exploitation allows an attacker to execute arbitrary commands on the server or system where the vulnerable package is used. This can lead to full compromise of the application, data exfiltration, or lateral movement within the network. The package is used in environments that interact with Perforce servers, often in development or build automation contexts, increasing the potential impact.

Mitigation

The vulnerability was patched in version 0.0.7 of the p4 package. The fix replaced child_process.exec() with child_process.spawn() and properly sanitized arguments as an array, preventing shell injection [3][4]. Users should update to version 0.0.7 or later. No known workarounds are available; updating is the recommended action.

References
  1. NVD - CVE-2022-25171
  2. p4/p4.js at master · natelong/p4
  3. GitHub - natelong/p4: A tiny utility library for dealing with Perforce
  4. address security vulnerability · natelong/p4@ae42e25

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
p4npm
< 0.0.70.0.7

Affected products

2
  • p4/p4description
  • ghsa-coords
    pkg:npm/p4
    Range: < 0.0.7

Patches

1
ae42e251beab

address security vulnerability

https://github.com/natelong/p4Nate LongDec 12, 2022via ghsa
commit
2 files changed · +22 6
  • p4.js+21 5 modified
    @@ -1,19 +1,35 @@
 /*jshint node:true*/
 "use strict";
 
-var exec = require("child_process").exec;
+var exec = require("child_process").spawn;
 
 function runCommand(command, args, done) {
     if(typeof args === "function") {
         done = args;
         args = "";
     }
 
-    exec("p4 " + command + " " + (args || ""), function(err, stdOut, stdErr) {
-        if(err) return done(err);
-        if(stdErr) return done(new Error(stdErr));
+    if(!Array.isArray(args)) {
+        args = [args];
+    }
+    args.unshift(command);
+
+    var child = spawn("p4", args);
+    var stdOutBuf = "";
+    var stdErrBuf = "";
+
+    child.stdout.on("data", (data) => stdOutBuf += data);
+    child.stderr.on("data", (data) => stdErrBuf += data)
+    child.on("exit", (code) => {
+        if (code !== 0) {
+            return done(new Error(`p4 subcommand exited with return code ${}`));
+        }
+
+        if (stdErrBuf.length > 0) {
+            return done(new Error(stdErrBuf));
+        }
 
-        done(null, stdOut);
+        done(null, stdOutBuf);
     });
 }
  • package.json+1 1 modified
    @@ -1,6 +1,6 @@
 {
     "name": "p4",
-    "version": "0.0.6",
+    "version": "0.0.7",
     "description": "A small utility library for dealing with Perforce",
     "main": "p4.js",
     "author": "Nate Long <long.nathaniel@gmail.com>",

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.