CVE-2022-40764
Description
Snyk CLI before 1.996.0 allows arbitrary command execution, affecting Snyk IDE plugins and the snyk npm package. Exploitation could follow from the common practice of viewing untrusted files in the Visual Studio Code editor, for example. The original demonstration was with shell metacharacters in the vendor.json ignore field, affecting snyk-go-plugin before 1.19.1. This affects, for example, the Snyk TeamCity plugin (which does not update automatically) before 20220930.142957.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2022-40764 is a command injection vulnerability in Snyk CLI before 1.996.0 allowing arbitrary command execution via shell metacharacters in the vendor.json ignore field, exploitable when scanning untrusted projects.
Vulnerability
Overview CVE-2022-40764 is a command injection vulnerability in the Snyk command-line interface (CLI) prior to version 1.996.0. The vulnerability arises from improper sanitization of user-controlled input in the vendor.json ignore field, which is processed by the snyk-go-plugin. Attackers can inject shell metacharacters to execute arbitrary commands on the host system [1][3]. This affects Snyk IDE plugins, the snyk npm package, and CI/CD integrations like the Snyk TeamCity plugin [1].
Exploitation
Scenario Exploitation can occur when a user scans an untrusted project, such as opening a malicious repository in Visual Studio Code with the Snyk extension installed. The attacker crafts a vendor.json file with a malicious ignore field, and when the Snyk CLI processes it during a scan, the injected commands are executed. No special privileges are required beyond the ability to run a Snyk scan on untrusted input [3].
Impact
Successful exploitation allows an attacker to execute arbitrary commands with the privileges of the user running the Snyk CLI. This could lead to data exfiltration, file modification, or installation of malware. The vulnerability is particularly dangerous because it can be triggered by simply viewing untrusted files in an IDE [1][3].
Mitigation
Snyk released a fix in CLI version 1.996.0, and users are advised to update immediately [4]. The Snyk TeamCity plugin must be manually updated to version 20220930.142957 or later [1]. Related vulnerabilities CVE-2022-24441 and CVE-2022-22984 have also been addressed [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
snyknpm | < 1.996.0 | 1.996.0 |
snyk-go-pluginnpm | < 1.19.1 | 1.19.1 |
Affected products
3- Snyk/CLIdescription
- ghsa-coords2 versions
< 1.996.0+ 1 more
- (no CPE)range: < 1.996.0
- (no CPE)range: < 1.19.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-hpqj-7cj6-hfj8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-40764ghsaADVISORY
- github.com/snyk/cli/releases/tag/v1.996.0ghsax_refsource_MISCWEB
- github.com/snyk/snyk-go-plugin/releases/tag/v1.19.1ghsax_refsource_MISCWEB
- support.snyk.io/hc/en-us/articles/7015908293789-CVE-2022-40764-Command-Injection-vulnerability-affecting-Snyk-CLI-versions-prior-to-1-996-0ghsax_refsource_MISCWEB
- www.imperva.com/blog/how-scanning-your-projects-for-security-issues-can-lead-to-remote-code-executionghsaWEB
- www.imperva.com/blog/how-scanning-your-projects-for-security-issues-can-lead-to-remote-code-execution/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.