Impact
The cyclonedx-node-npm CLI, which generates software bill of materials for npm projects, accepts a `--workspace` option that is passed directly to a shell when the environment variable npm_execpath is unset or empty. Because the value supplied by the user is not sanitized, an attacker who can influence this argument can cause arbitrary operating‑system commands to execute with the privileges of the user running the tool. This flaw is categorized as a CWE‑78 (OS Command Injection) and is rated 8.5 on the CVSS scale.
Affected Systems
All installations of CycloneDX:cyclonedx-node-npm from version 2.1.0 up to, but not including, 5.0.0 are susceptible. The vulnerability was resolved by the release of v5.0.0, which sanitizes the `--workspace` argument or removes it from the shell invocation when npm_execpath is not defined.
Risk and Exploitability
The vulnerability is exploitable in a local context; an adversary to control the `--workspace` argument, which is typically supplied by a user or a build script. The absence of an EPSS score leaves the precise likelihood uncertain, but the CVSS score indicates high severity. Because the attack requires local execution and can be triggered only when npm_execpath is unset, the probability of exploitation is moderate in usual operational environments. The issue is not currently listed in the CISA KEV catalog, suggesting no widespread exploitation has been reported, yet organizations that routinely run cyclonedx-node-npm against untrusted input remain at risk until they upgrade to 5.0.0.
OpenCVE Enrichment
Github GHSA