CVE-2022-25853

Description

All versions of the package semver-tags are vulnerable to Command Injection via the getGitTagsRemote function due to improper input sanitization.

How to fix CVE-2022-25853

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

• npm/semver-tags—no fix listed

Is CVE-2022-25853 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, <= 0.4.10

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-25853
• PATCHgithub.com/jtrussell/semver-tags
• WEBgithub.com/jtrussell/semver-tags/blob/db1ba680bafed0d51e1bb36bd38f2c5439fe8b00/lib/get-tags.js%23L21
• WEBgithub.com/jtrussell/semver-tags/blob/db1ba680bafed0d51e1bb36bd38f2c5439fe8b00/lib/get-tags.js#L21