CVE-2022-25908

Vulnerability

Overview

The create-choo-electron package is vulnerable to command injection in all versions via the devInstall function. The root cause is improper sanitization of user-supplied input, allowing an attacker to inject arbitrary operating system commands [1][2].

Exploitation

The vulnerability can be triggered by passing a crafted string to the devInstall function. For example, a proof-of-concept demonstrates injecting the command & touch JHU as part of the arguments array [2]. This requires the attacker to control the input parameters, which typically occurs when the package is used in a development environment that processes untrusted data.

Impact

Successful exploitation enables arbitrary command execution on the host system under the privileges of the user running the application. This could lead to full system compromise, data exfiltration, or further lateral movement within the network.

Mitigation

As of the latest disclosure, no patched version of create-choo-electron is available [2]. The maintainers have not released a fix, so users are advised to avoid using this package or to implement strict input validation and sanitization as a workaround [1].