EXECUTIVE SUMMARY:
CVE-2026-55849 with a CVSS score of 8.5 is a command injection flaw in the @cyclonedx/cyclonedx-npm CLI tool, affecting versions from up to but not including. The vulnerability arises when the tool is run with the --workspace option while the environment variable npm_execpath is unset or empty; the supplied workspace name is concatenated into a shell command without proper sanitisation, causing the underlying subshell to interpret any injected shell metacharacters. An attacker who can influence the value passed to --workspace can craft a payload such as "; rm -rf /tmp/*" that is executed with the privileges of the user invoking the CLI. This grants the attacker arbitrary OS command execution, enabling data exfiltration, file manipulation, or local privilege escalation depending on the context. The business impact includes potential loss of confidential data, disruption of development pipelines, and unauthorized modification of artifacts, all of which can undermine trust in the software supply chain. Exploitation requires only the ability to supply or modify the --workspace parameter and the absence of npm_execpath; no additional network access or elevated privileges are needed.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-55849 with a CVSS score of 8.5 is a command injection flaw in the @cyclonedx/cyclonedx-npm CLI tool, affecting versions from up to but not including. The vulnerability arises when the tool is run with the --workspace option while the environment variable npm_execpath is unset or empty; the supplied workspace name is concatenated into a shell command without proper sanitisation, causing the underlying subshell to interpret any injected shell metacharacters. An attacker who can influence the value passed to --workspace can craft a payload such as "; rm -rf /tmp/*" that is executed with the privileges of the user invoking the CLI. This grants the attacker arbitrary OS command execution, enabling data exfiltration, file manipulation, or local privilege escalation depending on the context. The business impact includes potential loss of confidential data, disruption of development pipelines, and unauthorized modification of artifacts, all of which can undermine trust in the software supply chain. Exploitation requires only the ability to supply or modify the --workspace parameter and the absence of npm_execpath; no additional network access or elevated privileges are needed.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-v75r-vx73-82pj