Command Injection in create-choo-electron

Description

All versions of the package create-choo-electron are vulnerable to Command Injection via the devInstall function due to improper user-input sanitization.

Recommendation

No fix is available yet. Followings are affected versions:

• <= 2.0.0

References

• GHSA-j8wr-fwf2-vvr9
• security.snyk.io
• CVE-2022-25908
• CWE-77
• CWE-78
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• create-choo-app3 is vulnerable to Command Injection via the devInstall function - CVE-2022-25855
• @apostrophecms/cli: Command Injection in apos create via Unsanitized Password Input - CVE-2026-42853
• Command injection in Parse Server through prototype pollution - CVE-2022-24760
• Command Injection in ungit - CVE-2022-25766

You might also like:

How do hackers hack websites?

10 Secure Coding Best Practices to Follow in Every Project

Update Cheat Sheet for Developers

Tags:

npm

create-choo-electron