CVE-2022-24377: cycle-import-check vulnerable to Command Injection

December 14, 2022 (updated August 8, 2023)

The package cycle-import-check before 1.3.2 is vulnerable to Command Injection via the writeFileToTmpDirAndOpenIt function due to improper user-input sanitization.

References

github.com/Soontao/cycle-import-check/commit/1ca97b59df7e9c704471fcb4cf042ce76d7c9890
github.com/advisories/GHSA-995x-33wq-8gc9
nvd.nist.gov/vuln/detail/CVE-2022-24377
security.snyk.io/vuln/SNYK-JS-CYCLEIMPORTCHECK-3157955

Detect and mitigate CVE-2022-24377 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →