CVE-2022-25171: p4 vulnerable to Command Injection due to improper input sanitization

December 20, 2022 (updated April 16, 2025)

The package p4 before 0.0.7 is vulnerable to Command Injection via the run() function due to improper input sanitization

References

github.com/advisories/GHSA-jfm8-hwhg-r6gg
github.com/natelong/p4
github.com/natelong/p4/blob/master/p4.js
github.com/natelong/p4/commit/ae42e251beabf67c00539ec0e1d7aa149ca445fb
nvd.nist.gov/vuln/detail/CVE-2022-25171
security.snyk.io/vuln/SNYK-JS-P4-3167330

Code Behaviors & Features

Detect and mitigate CVE-2022-25171 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →