create-choo-app3 is vulnerable to Command Injection via the devInstall function

Description

All versions of the package create-choo-app3 are vulnerable to Command Injection via the devInstall function due to improper user-input sanitization.

Recommendation

No fix is available yet. Followings are affected versions:

• <= 1.12.3

References

• GHSA-rj7m-2p3g-fjxg
• security.snyk.io
• CVE-2022-25855
• CWE-77
• CWE-78
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Astro's bypass of image proxy domain validation leads to SSRF and potential XSS - CVE-2025-59837
• PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF - CVE-2024-4367
• Vue I18n Allows Prototype Pollution in `handleFlatJson` (GHSA-p2ph-7g93-hw3m) 5 - CVE-2025-27597
• Vue I18n Allows Prototype Pollution in `handleFlatJson` (GHSA-p2ph-7g93-hw3m) 4 - CVE-2025-27597

Tags:

npm

create-choo-app3