Advisories for Npm/@Cyclonedx/Cdxgen package

2026

@cyclonedx/cdxgen: Maven project scanning may allow shell command injection through repository-controlled module paths

A command injection vulnerability existed in the Maven scanning flow of cdxgen before version 12.4.3. When cdxgen scanned an attacker-controlled Maven project, repository-controlled paths could be used in the Maven command construction. In affected versions, some Maven invocations were executed with shell: true. A directory name containing shell metacharacters could therefore be interpreted by the shell instead of being treated only as a filesystem path. This could allow an attacker …

@cyclonedx/cdxgen: Docker registry auth substring match forwards credentials to a different registry

When cdxgen scans or pulls container images through the Docker daemon API, it builds an X-Registry-Auth header from Docker credentials in DOCKER_CONFIG/config.json. The credential selection logic matches configured registry keys with substring checks: if (forRegistry && !serverAddress.includes(forRegistry)) { continue; } This is not an origin-safe registry comparison. For example, credentials configured for private-registry.example.com are selected for a requested image under registry.example.com, because: "private-registry.example.com".includes("registry.example.com") === true The selected credentials are then …

2024