CVE-2024-48963
Description
The package Snyk CLI before 1.1294.0 is vulnerable to Code Injection when scanning an untrusted PHP project. The vulnerability can be triggered if Snyk test is run inside the untrusted project due to the improper handling of the current working directory name. Snyk recommends only scanning trusted projects.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An untrusted PHP project directory name can cause code injection in Snyk CLI before 1.1294.0 when scanning.
Vulnerability
CVE-2024-48963 is a code injection vulnerability in Snyk CLI versions before 1.1294.0, specifically affecting the scanning of untrusted PHP projects. The root cause lies in the improper handling of the current working directory name; when Snyk test is run inside an untrusted project, the directory name itself can be manipulated to inject arbitrary commands [1].
Exploitation
An attacker can exploit this vulnerability by crafting a PHP project with a malicious directory name. If a victim runs snyk test within that project, the directory name is processed insecurely, leading to command injection. No authentication is required beyond the victim's execution of the test, and the attack surface is local to the file system where the project resides.
Impact
Successful exploitation allows the attacker to execute arbitrary code in the context of the user running the Snyk CLI. This could lead to full compromise of the development environment, including data exfiltration, credential theft, or further lateral movement. The vulnerability is particularly dangerous because it leverages a seemingly innocuous action: scanning a project.
Mitigation
Snyk released version 1.1294.0 of the CLI to address the issue [1]. The fix involved improving how commands and arguments are passed to the child process, separating them to prevent injection [4]. Users should update to the latest version and follow the recommendation to only scan trusted projects. There is no indication that this vulnerability is exploited in the wild or listed in KEV as of the publication date.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
snyk-php-pluginnpm | < 1.10.0 | 1.10.0 |
Affected products
5- osv-coords3 versions
< 1.1294.0-r0+ 2 more
- (no CPE)range: < 1.1294.0-r0
- (no CPE)range: < 1.1294.0-r0
- (no CPE)range: < 1.10.0
- Snyk/Snyk PHP Pluginv5Range: 0
Patches
19189f093b94ffeat: pass command and args into spawn separately
2 files changed · +14 −12
lib/composer-cmds.ts+10 −8 modified@@ -1,15 +1,17 @@ import * as path from 'path'; import * as childProcess from 'child_process'; +export const composerCmd = {command: 'composer', args: ['--version']}; +export const composerShowCmd = {command: 'composer', args: ['show', '-p']}; +export const pharCmd = {command: `php`, args:[`${path.resolve(path.resolve() + '/composer.phar')}`, 'show', '-p', '--format=json'] +}; -export const composerCmd = 'composer --version'; -export const composerShowCmd = 'composer show -p'; -export const pharCmd = `php ${path.resolve(path.resolve() + '/composer.phar')} show -p --format=json`; - -export function cmdReturnsOk(cmd): boolean { - return cmd && childProcess.spawnSync(cmd, { shell: false }).status === 0; +export function cmdReturnsOk(cmd, args: string[] = []): boolean { + const spawnOptions: childProcess.SpawnOptions = { shell: false }; + return cmd && childProcess.spawnSync(cmd, args,spawnOptions).status === 0; } // run a cmd in a specific folder and it's result should be there -export function execWithResult(cmd, basePath): string { - return childProcess.spawnSync(cmd, { cwd: basePath, shell: false }).toString(); +export function execWithResult(cmd, basePath, args: string[] = []): string { + const spawnOptions: childProcess.SpawnOptions ={ cwd: basePath, shell: false } + return childProcess.spawnSync(cmd, args, spawnOptions).toString(); }
lib/system-deps.ts+4 −4 modified@@ -9,25 +9,25 @@ function isSet(variable): boolean { } export function systemDeps(basePath: string, options: PhpOptions): SystemPackages { - const composerOk = isSet(options.composerIsFine) ? options.composerIsFine : cmds.cmdReturnsOk(cmds.composerCmd); + const composerOk = isSet(options.composerIsFine) ? options.composerIsFine : cmds.cmdReturnsOk(cmds.composerCmd.command,cmds.composerCmd.args); const composerPharOk = isSet(options.composerPharIsFine) ? - options.composerPharIsFine : cmds.cmdReturnsOk(cmds.pharCmd); + options.composerPharIsFine : cmds.cmdReturnsOk(cmds.pharCmd.command, cmds.pharCmd.args); let finalVersionsObj = {}; if (options.systemVersions && (Object.keys(options.systemVersions).length > 0)) { // give first preference to a stub finalVersionsObj = options.systemVersions; } else if (composerOk) { - const lines = cmds.execWithResult(cmds.composerShowCmd, basePath).split(os.EOL); + const lines = cmds.execWithResult(cmds.composerShowCmd.command, basePath, cmds.composerShowCmd.args).split(os.EOL); lines.forEach((line) => { const [part1, part2] = line.split(/\s+/); if (part2) { finalVersionsObj[part1] = part2; } }); } else if (composerPharOk) { - const output = cmds.execWithResult(cmds.pharCmd, basePath); + const output = cmds.execWithResult(cmds.pharCmd.command, basePath, cmds.pharCmd.args); const versionsObj = JSON.parse(output).platform; versionsObj.forEach(({name, version}) => { finalVersionsObj[name] = version;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.