CVE-2022-25855

All versions of the package create-choo-app3 are vulnerable to Command Injection [1][2]. The vulnerability exists in the devInstall function, which fails to properly sanitize user-supplied input before passing it to a command executor [3]. This constitutes a classic command injection flaw where attacker-controlled data flows into a system shell without adequate escaping or validation. The root cause is the lack of sanitization on parameters used within the devInstall function, as confirmed by the official CVE description [2] and Snyk advisory [3].

Exploitation

The attack surface is exposed through the devInstall function, which can be invoked with attacker-controlled strings. A proof-of-concept (PoC) shows that passing a string containing shell metacharacters, such as "& touch JHU", results in the unintended execution of the command after the command separator (&) [3]. No authentication or special privileges are required beyond the ability to call the vulnerable function with crafted input; this makes it accessible to any user or process that can interact with the package.

Impact

Successful exploitation allows an attacker to execute arbitrary operating system commands in the context of the application running create-choo-app3 [1][2]. This can lead to full compromise of the affected system, including data exfiltration, installation of backdoors, or lateral movement within the network. The CVSSv3.1 base score has not been formally assigned in the available references, but the impact is high due to the potential for complete loss of confidentiality, integrity, and availability.

Mitigation

As of the publication date, no patched version of create-choo-app3 exists [3]. Users are advised to avoid using the package or to implement compensating controls such as input validation and sanitization around any usage of the devInstall function. The package does not appear to be actively maintained, and migration to an alternative scaffold tool is strongly recommended.