CVE-2025-57285

The vulnerability exists in the emptyFolder function within lib/utils.js of CodeceptJS version 3.7.3 [1]. The function uses execSync to remove a directory, but it directly concatenates the user-controlled directoryPath parameter into the shell command without any sanitization or escaping [3]. This allows an attacker to inject arbitrary operating system commands.

Exploitation requires control over the output configuration parameter, which is passed to emptyFolder when the emptyOutputFolder option is enabled. The PoC provided by the discoverer demonstrates that setting output to a string like /test/ ; touch Dremig486; # results in the execution of touch Dremig486 after the intended removal command [4]. No authentication or special network position is required if the attacker can influence the configuration.

A successful attack enables arbitrary command execution with the privileges of the Node.js process running CodeceptJS. This could lead to data exfiltration, system compromise, or lateral movement within the testing environment. The impact is limited to the context of the user running the tests.

As of now, no official fix has been released for this vulnerability. Users are advised to avoid using untrusted input in the output path and to disable the emptyOutputFolder feature if not necessary. Until a patch is available, sanitization of the output directory path should be implemented manually; a pull request exists that may address the issue [2].