Description
@cyclonedx/cyclonedx-npm creates CycloneDX Software Bill of Materials from npm projects. From 2.1.0 before 5.0.0, the CLI passes user-supplied --workspace values to a subshell without proper sanitization when npm_execpath is unset or empty, allowing arbitrary OS command execution with the privileges of the invoking user. This issue is fixed in version 5.0.0.
Published: 2026-07-08
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The cyclonedx-node-npm CLI, which generates software bill of materials for npm projects, accepts a `--workspace` option that is passed directly to a shell when the environment variable npm_execpath is unset or empty. Because the value supplied by the user is not sanitized, an attacker who can influence this argument can cause arbitrary operating‑system commands to execute with the privileges of the user running the tool. This flaw is categorized as a CWE‑78 (OS Command Injection) and is rated 8.5 on the CVSS scale.

Affected Systems

All installations of CycloneDX:cyclonedx-node-npm from version 2.1.0 up to, but not including, 5.0.0 are susceptible. The vulnerability was resolved by the release of v5.0.0, which sanitizes the `--workspace` argument or removes it from the shell invocation when npm_execpath is not defined.

Risk and Exploitability

The vulnerability is exploitable in a local context; an adversary to control the `--workspace` argument, which is typically supplied by a user or a build script. The absence of an EPSS score leaves the precise likelihood uncertain, but the CVSS score indicates high severity. Because the attack requires local execution and can be triggered only when npm_execpath is unset, the probability of exploitation is moderate in usual operational environments. The issue is not currently listed in the CISA KEV catalog, suggesting no widespread exploitation has been reported, yet organizations that routinely run cyclonedx-node-npm against untrusted input remain at risk until they upgrade to 5.0.0.

Generated by OpenCVE AI on July 9, 2026 at 03:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update cyclonedx-node-npm to version 5.0.0 or later
  • Ensure the environment variable npm_execpath is defined before invoking the CLI in sensitive environments
  • Limit the use of the --workspace option to trusted inputs or disable it in automated build pipelines until the update is applied

Generated by OpenCVE AI on July 9, 2026 at 03:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v75r-vx73-82pj @cyclonedx/cyclonedx-npm: Shell Injection via Unsanitized --workspace Argument
History

Wed, 08 Jul 2026 21:45:00 +0000

Type Values Removed Values Added
Description @cyclonedx/cyclonedx-npm creates CycloneDX Software Bill of Materials from npm projects. From 2.1.0 before 5.0.0, the CLI passes user-supplied --workspace values to a subshell without proper sanitization when npm_execpath is unset or empty, allowing arbitrary OS command execution with the privileges of the invoking user. This issue is fixed in version 5.0.0.
Title @cyclonedx/cyclonedx-npm: Shell Injection via Unsanitized `--workspace` Argument
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-08T21:10:15.798Z

Reserved: 2026-06-17T16:44:40.994Z

Link: CVE-2026-55849

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-09T04:00:11Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')