VYPR
← All advisories
Critical severityNVD Advisory· Published Jan 6, 2023· Updated Apr 10, 2025

CVE-2022-25923

CVE-2022-25923

Description

CVE-2022-25923 is a command injection vulnerability in exec-local-bin before 1.2.0 due to unsanitized user input in the theProcess() function.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2022-25923 is a command injection vulnerability in exec-local-bin before 1.2.0 due to unsanitized user input in the theProcess() function.

Vulnerability

Overview

The exec-local-bin package before version 1.2.0 is vulnerable to Command Injection via the theProcess() functionality. The root cause is improper user-input sanitization, allowing an attacker to inject arbitrary shell commands. The vulnerability exists because the package constructs a command string by directly concatenating user-supplied input (the bin parameter) with a hardcoded path, then executes it using child_process.exec without validation [1][3].

Exploitation

Details

An attacker can exploit this vulnerability by passing a malicious bin argument containing shell metacharacters. For example, passing a string like "& touch JHU" causes the exec function to interpret the ampersand as a command separator, executing the injected command (touch JHU) on the system [4]. No authentication is required; the attack vector is via any function call that supplies the bin parameter to theProcess(). Successful exploitation depends on the application using the package with attacker-controllable input.

Impact

Successful command injection allows an attacker to execute arbitrary operating system commands with the privileges of the application or user running the Node.js process. This can lead to full system compromise, data exfiltration, or further lateral movement within the environment [1].

Mitigation

The vulnerability has been patched in version 1.2.0. The fix replaces direct string concatenation with path.join, validates that the resolved binary path stays within the expected node_modules/.bin directory, and checks file accessibility before execution [3]. Users should upgrade to version 1.2.0 or later. As of publication, no active exploitation in the wild has been reported, but given the ease of exploitation, immediate patching is recommended [4].

References
  1. NVD - CVE-2022-25923
  2. fixes(CVE-2022-25923): resolves command injection security issue · saeedseyfi/exec-local-bin@d425866
  3. Snyk Vulnerability Database | Snyk

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
exec-local-binnpm
< 1.2.01.2.0

Affected products

2

Patches

1
d425866375c8

fixes(CVE-2022-25923): resolves command injection security issue

https://github.com/saeedseyfi/exec-local-binSaeed SeyfiJan 4, 2023via ghsa
commit
2 files changed · +23 2
  • index.js+17 2 modified
    @@ -1,8 +1,23 @@
 const exec = require('child_process').exec;
+const fs = require('fs');
+const path = require('path');
 
 module.exports = async function (bin, options) {
-    return new Promise((resolve, reject) => {
-        const cmd = `${process.cwd()}/node_modules/.bin/${bin}`;
+    return new Promise(async (resolve, reject) => {
+        const binDir = `${process.cwd()}/node_modules/.bin`;
+        const cmd = path.join(binDir, bin);
+
+        if (!cmd.startsWith(binDir)) {
+            reject(new Error(`${cmd} within the expected directory`));
+            return;
+        }
+
+        try {
+            await fs.access(cmd, fs.constants.X_OK);
+        } catch (err) {
+            reject(new Error(`${cmd} is not accessible: ${err.message}`));
+            return;
+        }
 
         console.log(`Running \`${cmd}\``);
  • package.json+6 0 modified
    @@ -3,6 +3,12 @@
   "version": "1.1.1",
   "description": "Helps you run local node binaries in node",
   "main": "index.js",
+  "files": [
+    "index.js"
+  ],
+  "engines": {
+    "node": "^8.0.0"
+  },
   "scripts": {
     "test": "echo \"Error: no test specified\" && exit 1"
   },

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.