create-choo-app3 is vulnerable to Command Injection via the devInstall function

Description

All versions of the package create-choo-app3 are vulnerable to Command Injection via the devInstall function due to improper user-input sanitization.

Recommendation

No fix is available yet. Followings are affected versions:

• <= 1.12.3

References

• GHSA-rj7m-2p3g-fjxg
• security.snyk.io
• CVE-2022-25855
• CWE-77
• CWE-78
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Command Injection in create-choo-electron - CVE-2022-25908
• Nodejs ‘undici’ vulnerable to CRLF Injection via Content-Type - CVE-2022-35948
• Eta vulnerable to Code Injection via templates rendered with user-defined data - CVE-2022-25967
• React Editable Json Tree vulnerable to arbitrary code execution via function parsing - CVE-2022-36010

Tags:

npm

create-choo-app3