CVE-2022-25853

Vulnerability

Overview

The semver-tags npm package, in all versions, contains a command injection vulnerability in the getGitTagsRemote function [1]. The root cause is improper sanitization of user-supplied input passed to the repoPath option, which is later used in shell commands [2]. The vulnerability was identified by researchers from SJTU and JHU System Security Lab [4].

Exploitation

An attacker can exploit this vulnerability by providing a maliciously crafted repoPath value when calling the semver-tags API or CLI tool [3]. The provided proof-of-concept demonstrates that passing a repoPath containing shell metacharacters (e.g., "; touch EXPLOITED;") results in arbitrary command execution [4]. No authentication is required if the attacker can control the input to the affected function.

Impact

Successful exploitation allows an attacker to execute arbitrary operating system commands in the context of the user running the semver-tags process [1]. This can lead to full compromise of the affected system, including data exfiltration, installation of malware, or lateral movement within a network. The CVSS base score is 7.3 (High) for version 3.1 [4].

Mitigation

As of the publication date (2023-02-06), there is no fixed version of semver-tags available [4]. Users are advised to avoid using the package or to carefully validate and sanitize any user-supplied input, especially repoPath, before passing it to semver-tags [3]. Due to the lack of a patch, the use of this package in production environments is strongly discouraged.