Code injection vulnerabilities (CVSSv3 5.8) found in Snyk CLI and IDE plugins

As a Snyk user, we want to let you know about two new medium severity (CVSSv3 5.8) vulnerabilities in our CLI and IDE plugins.

• CVE-2022-24441

• CVE-2022-22984

Although hard to exploit, these vulnerabilities can lead to arbitrary code execution on the host system. See below for details on how to mitigate these risks and stay safe.

CVE-2022-24441 – Code injection in Snyk CLI and Snyk IDE plugins

The Snyk CLI may allow for arbitrary code execution when being used to analyze untrusted projects. This is due to the fact that the Snyk CLI leverages various build tools to provide information about the project for analysis, and these tools may execute code.

There is an increased risk when using the Snyk IDE plugins as these plugins automatically invoke the Snyk CLI to perform analysis when a project is opened, potentially allowing the execution of arbitrary code by simply opening an untrusted folder.

To safeguard from the risk of running untrusted projects, Snyk has implemented a change in the Snyk IDE plugins that will ask for project trust before allowing the developer to run any scans against code.

We have also updated our documentation for the Snyk CLI with best practice advice to avoid scanning untrusted code. We recommend IDE plugin users upgrade to a version with the project trust feature, further details can be found on the Snyk Support portal.

CVE-2022-22984 – Snyk CLI command injection

The Snyk CLI prior to version v1.1064.0 is vulnerable to an arbitrary command injection vulnerability in the command line flags which are used to construct arguments for spawning subsequent child processes.

Due to the attack complexity and prerequisite to already control parts of the CLI command, this is not a major risk — but Snyk customers should update as soon as possible to ensure programmatic usage of the Snyk CLI is protected from abuse.

How to upgrade and stay safe

You can find more information, including how to update your CLI and IDE plugins on the Snyk Support portal.

We’ll keep this updated with more information along with responses to any frequently asked questions that arise.

Further information

You can find more details on the individual vulnerabilities in our public vulnerability database:

• https://security.snyk.io/vuln/SNYK-JS-SNYK-3111871

• https://security.snyk.io/vuln/SNYK-JS-SNYK-3038622

These vulnerabilities were privately disclosed to us through our responsible disclosure process by vulnerability researchers at Imperva.

Thank you to Imperva for finding and disclosing this vulnerability to us. Snyk is very proud to be one of the leading proponents of responsible disclosure programs and open source technology. One of the main tenets of a robust and modern security posture is to encourage external testing of software that compliments internal testing and tooling. At Snyk, it’s our business to know that all software has the potential to include vulnerabilities. We will continue to take all steps necessary to ensure our software is rigorously tested and our users’ safety is paramount.

To stress, these are medium severity vulnerabilities rather than high or critical ones. The potential impact is mitigated by the difficulty to exploit in most cases. However good hygiene is important regardless of severity and we recommend regularly updating your tools to help stay secure.

We apologize for any inconvenience caused in needing to upgrade the Snyk CLI and IDE plugins. Please reach out with any questions through our Snyk Support portal.