CVE-2022-25962: Command injection in vagrant.js

January 26, 2023 (updated November 7, 2023)

All versions of the package vagrant.js is vulnerable to Command Injection via the boxAdd function due to improper input sanitization.

References

github.com/advisories/GHSA-54jw-jqr9-6cj9
nvd.nist.gov/vuln/detail/CVE-2022-25962
security.snyk.io/vuln/SNYK-JS-VAGRANTJS-3175614

Detect and mitigate CVE-2022-25962 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →