create-choo-app3 is vulnerable to Command Injection via the devInstall function

Description

All versions of the package create-choo-app3 are vulnerable to Command Injection via the devInstall function due to improper user-input sanitization.

Recommendation

No fix is available yet. Followings are affected versions:

• <= 1.12.3

References

• GHSA-rj7m-2p3g-fjxg
• security.snyk.io
• CVE-2022-25855
• CWE-77
• CWE-78
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Command Injection in create-choo-electron - CVE-2022-25908
• Matrix-appservice-irc vulnerable to sql injection via roomIds argument - CVE-2022-3971
• @apostrophecms/cli: Command Injection in apos create via Unsanitized Password Input - CVE-2026-42853
• Eta vulnerable to Code Injection via templates rendered with user-defined data - CVE-2022-25967

You might also like:

How do hackers hack websites?

10 Secure Coding Best Practices to Follow in Every Project

Update Cheat Sheet for Developers

Tags:

npm

create-choo-app3