create-choo-app3 is vulnerable to Command Injection via the devInstall function · CVE-2022-25855 · GitHub Advisory Database · GitHub

create-choo-app3 is vulnerable to Command Injection via the devInstall function

High severity GitHub Reviewed Published Feb 6, 2023 to the GitHub Advisory Database • Updated Feb 13, 2023

Package

create-choo-app3 (npm)

Affected versions

<= 1.12.3

Patched versions

None

Description

All versions of the package create-choo-app3 are vulnerable to Command Injection via the devInstall function due to improper user-input sanitization.

References

Published by the National Vulnerability Database

Feb 6, 2023

Published to the GitHub Advisory Database Feb 6, 2023

Reviewed Feb 7, 2023

Last updated Feb 13, 2023

Severity

High

7.8

/ 10

CVSS base metrics

Attack vector

Local

Attack complexity

Low

Privileges required

Low

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H