High severity7.2OSV Advisory· Published Oct 27, 2024· Updated Jun 17, 2026
CVE-2024-50611
CVE-2024-50611
Description
CycloneDX cdxgen through 10.10.7, when run against an untrusted codebase, may execute code contained within build-related files such as build.gradle.kts, a similar issue to CVE-2022-24441. cdxgen is used by, for example, OWASP dep-scan. NOTE: this has been characterized as a design limitation, rather than an implementation mistake.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@cyclonedx/cdxgennpm | < 11.1.7 | 11.1.7 |
Affected products
2Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-hxf3-vgpm-fv9pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-50611ghsaADVISORY
- github.com/CycloneDX/cdxgen/issues/1328nvdWEB
- github.com/CycloneDX/cdxgen/pull/1614ghsaWEB
- github.com/CycloneDX/cdxgen/releasesnvdWEB
- github.com/CycloneDX/cdxgen/releases/tag/v11.1.7ghsaWEB
- owasp.org/www-project-dep-scanghsaWEB
- owasp.org/www-project-dep-scan/nvd
News mentions
0No linked articles in our index yet.