GHSA-5VWR-QCHF-Q4PF

Vulnerability from github – Published: 2026-06-26 19:47 – Updated: 2026-06-26 19:47
VLAI
Summary
@cyclonedx/cdxgen: Maven project scanning may allow shell command injection through repository-controlled module paths
Details

Summary

A command injection vulnerability existed in the Maven scanning flow of cdxgen before version 12.4.3.

When cdxgen scanned an attacker-controlled Maven project, repository-controlled paths could be used in the Maven command construction. In affected versions, some Maven invocations were executed with shell: true. A directory name containing shell metacharacters could therefore be interpreted by the shell instead of being treated only as a filesystem path.

This could allow an attacker who controls a scanned repository to execute commands in the cdxgen process context.

The issue affected both the CLI and server mode. The issue is patched in 12.4.3.

Affected asset

  • Project: cdxgen
  • Tested version: 12.4.1
  • Mode tested: server mode
  • Endpoint: POST /sbom
  • Scanner path: Java / Maven project scanning

Patch

Version 12.4.3 includes hardening for this issue with PR #4059

The patch adds multiple mitigations:

  • Maven command invocations no longer use unconditional shell execution on POSIX platforms.
  • Bazel command invocation was similarly changed away from unconditional shell execution.
  • Windows compatibility is preserved using shell: isWin where needed.
  • safeSpawnSync now blocks shell: true invocations when the command or direct argument values contain shell metacharacters.
  • cdxgen does not validate or sanitise every nested directory. The threat model is updated to clarify mitigation scope.

Workarounds

The recommended remediation is to upgrade to 12.4.3 or later.

If immediate upgrade is not possible:

  • Do not run cdxgen server mode on untrusted networks.
  • Do not expose POST /sbom to unauthenticated or untrusted clients.
  • Avoid scanning untrusted Java/Maven repositories.
  • Run cdxgen inside a locked-down container or sandbox.
  • Remove sensitive environment variables from the cdxgen process environment.
  • Use least-privilege filesystem mounts.
  • Restrict outbound network access where possible.

Use cdxgen secure/dry-run modes where suitable to inspect planned operations before performing scans. Configure host and command allowlists where applicable, such as:

  • CDXGEN_SERVER_ALLOWED_HOSTS
  • CDXGEN_GIT_ALLOWED_HOSTS
  • CDXGEN_ALLOWED_COMMANDS
  • CDXGEN_SECURE_MODE=true

These mitigations reduce exposure but do not fully address the vulnerable command construction in affected versions.

Threat model clarification

The mitigation added in 12.4.3 applies to the cdxgen process boundary. Specifically, cdxgen now hardens command, option, and path values that cdxgen itself passes to external processes through safeSpawnSync.

This does not mean cdxgen sanitizes every nested path, module name, generated path, or project-controlled value that an external build tool later discovers and interprets inside its own process. Once cdxgen safely invokes Maven, Gradle, Bazel, SBT, or another build tool, that tool’s internal behavior remains a separate trust boundary.

In scope for this fix:

  • command and argument values passed directly by cdxgen to child processes;
  • cdxgen’s own use of shell: true;
  • Maven/Bazel command invocation paths controlled by cdxgen.

Out of scope for this specific mitigation:

  • arbitrary nested paths later discovered by Maven itself;
  • Maven plugin behavior;
  • Maven lifecycle hooks;
  • build-tool-specific interpretation of project files after cdxgen has launched the tool.

This residual risk is documented in the cdxgen threat model and is why untrusted project scans should still be run in sandboxed, least-privileged environments.

Detection

Possible indicators of exploitation or probing include:

  • Maven module directories containing shell metacharacters such as:
;
&
|
<
>
$
backticks
newlines
  • Logs showing settings.xml or pom.xml discovered in suspicious paths.
  • Unexpected files created outside the scanned repository during a Java/Maven scan.
  • Unexpected child process behavior during cdxgen server scans.
  • cdxgen server receiving POST /sbom requests for attacker-controlled Git URLs.

Example suspicious path pattern:

evil;cd${IFS}..;cd${IFS}..;printf${IFS}...>...;#

Credits

Reported-By: @aleff-github

Resources

  • Patch PR - https://github.com/cdxgen/cdxgen/pull/4059
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@cyclonedx/cdxgen"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "12.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-78",
      "CWE-88"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-26T19:47:24Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nA command injection vulnerability existed in the Maven scanning flow of cdxgen before version 12.4.3.\n\nWhen cdxgen scanned an attacker-controlled Maven project, repository-controlled paths could be used in the Maven command construction. In affected versions, some Maven invocations were executed with `shell: true`. A directory name containing shell metacharacters could therefore be interpreted by the shell instead of being treated only as a filesystem path.\n\nThis could allow an attacker who controls a scanned repository to execute commands in the cdxgen process context.\n\nThe issue affected both the CLI and server mode. The issue is patched in `12.4.3`.\n\n## Affected asset\n\n- Project: cdxgen\n- Tested version: 12.4.1\n- Mode tested: server mode\n- Endpoint: `POST /sbom`\n- Scanner path: Java / Maven project scanning\n\n## Patch\n\nVersion 12.4.3 includes hardening for this issue with PR #4059 \n\nThe patch adds multiple mitigations:\n\n- Maven command invocations no longer use unconditional shell execution on POSIX platforms.\n- Bazel command invocation was similarly changed away from unconditional shell execution.\n- Windows compatibility is preserved using `shell: isWin` where needed.\n- `safeSpawnSync` now blocks `shell: true` invocations when the command or direct argument values contain shell metacharacters.\n- cdxgen does not validate or sanitise every nested directory. The threat model is updated to clarify mitigation scope.\n\n## Workarounds\n\nThe recommended remediation is to upgrade to 12.4.3 or later.\n\nIf immediate upgrade is not possible:\n\n- Do not run cdxgen server mode on untrusted networks.\n- Do not expose POST /sbom to unauthenticated or untrusted clients.\n- Avoid scanning untrusted Java/Maven repositories.\n- Run cdxgen inside a locked-down container or sandbox.\n- Remove sensitive environment variables from the cdxgen process environment.\n- Use least-privilege filesystem mounts.\n- Restrict outbound network access where possible.\n\nUse cdxgen secure/dry-run modes where suitable to inspect planned operations before performing scans.\nConfigure host and command allowlists where applicable, such as:\n\n- CDXGEN_SERVER_ALLOWED_HOSTS\n- CDXGEN_GIT_ALLOWED_HOSTS\n- CDXGEN_ALLOWED_COMMANDS\n- CDXGEN_SECURE_MODE=true\n\nThese mitigations reduce exposure but do not fully address the vulnerable command construction in affected versions.\n\n## Threat model clarification\n\nThe mitigation added in 12.4.3 applies to the cdxgen process boundary. Specifically, cdxgen now hardens command, option, and path values that cdxgen itself passes to external processes through safeSpawnSync.\n\nThis does not mean cdxgen sanitizes every nested path, module name, generated path, or project-controlled value that an external build tool later discovers and interprets inside its own process. Once cdxgen safely invokes Maven, Gradle, Bazel, SBT, or another build tool, that tool\u2019s internal behavior remains a separate trust boundary.\n\n### In scope for this fix:\n\n- command and argument values passed directly by cdxgen to child processes;\n- cdxgen\u2019s own use of shell: true;\n- Maven/Bazel command invocation paths controlled by cdxgen.\n\n### Out of scope for this specific mitigation:\n- arbitrary nested paths later discovered by Maven itself;\n- Maven plugin behavior;\n- Maven lifecycle hooks;\n- build-tool-specific interpretation of project files after cdxgen has launched the tool.\n\nThis residual risk is documented in the cdxgen threat model and is why untrusted project scans should still be run in sandboxed, least-privileged environments.\n\n## Detection\n\nPossible indicators of exploitation or probing include:\n\n- Maven module directories containing shell metacharacters such as:\n\n```\n;\n\u0026\n|\n\u003c\n\u003e\n$\nbackticks\nnewlines\n```\n\n- Logs showing settings.xml or pom.xml discovered in suspicious paths.\n- Unexpected files created outside the scanned repository during a Java/Maven scan.\n- Unexpected child process behavior during cdxgen server scans.\n- cdxgen server receiving POST /sbom requests for attacker-controlled Git URLs.\n\nExample suspicious path pattern:\n\n```\nevil;cd${IFS}..;cd${IFS}..;printf${IFS}...\u003e...;#\n```\n\n## Credits\n\nReported-By: @aleff-github \n\n## Resources\n\n- Patch PR - https://github.com/cdxgen/cdxgen/pull/4059",
  "id": "GHSA-5vwr-qchf-q4pf",
  "modified": "2026-06-26T19:47:24Z",
  "published": "2026-06-26T19:47:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cdxgen/cdxgen/security/advisories/GHSA-5vwr-qchf-q4pf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cdxgen/cdxgen/pull/4059"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cdxgen/cdxgen"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "@cyclonedx/cdxgen: Maven project scanning may allow shell command injection through repository-controlled module paths"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…