Command injection vulnerability in Snyk CLI released prior to September 1, 2022 (older than v1.996.0)

As a Snyk user, we want to let you know about a medium severity vulnerability (CVSSv3 6.4) in our CLI that you should be aware of: CVE-2022-40764. As the CLI is used as part of our CI and IDE integrations, those are impacted too. Although hard to exploit, this vulnerability can lead to arbitrary code execution on the host system.

If you are running a version of the Snyk CLI released since September 1 (all versions from 1.996.0 inclusive), then you already have the fix. But if you are using an older version we recommend updating.

IDE integrations are easier to exploit due to the behavior of automatically scanning the IDE workspace. This is mitigated in most cases due to the fact that Snyk’s IDE plugin is configured by default to update the CLI to the latest version every week. If you have opted out of this capability, however, please update the CLI to the latest version, or re-enable automatic updates.

You can find more information, including how to identify the release version and update the CLI on the Snyk Support portal. We’ll keep this updated with more information along with responses to any frequently asked questions that arise. As always when it comes to security, Snyk is fully committed to transparency to ensure our users' safety.

You can find the individual vulnerabilities in our public vulnerability database:

• https://security.snyk.io/vuln/SNYK-JS-SNYKGOPLUGIN-3037316

• https://security.snyk.io/vuln/SNYK-JS-SNYK-3037342

Here’s a bit more detail for those interested:

• This vulnerability was privately disclosed to us through our responsible disclosure process by vulnerability researchers at Imperva.

• A fix was implemented and a new version of the Snyk CLI was released on September 1, 2022 with said fix.

• The CVE was publicly disclosed on September 29, 2022.

Thank you to Imperva for finding and disclosing this vulnerability to us. Snyk is very proud to be one of the leading proponents of responsible disclosure programs and open source technology. One of the main tenets of a robust and modern security posture is to encourage external testing of software that compliments internal testing and tooling. At Snyk, it’s our business to know that all software has the potential to include vulnerabilities. We will continue to take all steps necessary to ensure our software is tested and our users are safe.

To note: this is a medium severity vulnerability rather than a high or critical one. The potential impact is mitigated by the difficulty of exploiting in most cases. But we’d prefer to err on the side of caution with this statement and a general reminder to update your tools where possible to help you stay secure. We apologize for any inconvenience caused in needing to upgrade the Snyk CLI. If you have any additional questions, please open a support ticket from support.snyk.io and we’ll help.