Summary
@cyclonedx/cdxgen: Maven project scanning may allow shell command injection through repository-controlled module paths
A command injection vulnerability existed in the Maven scanning flow of cdxgen before version 12.4.3.
When cdxgen scanned an attacker-controlled Maven project, repository-controlled paths could be used in the Maven command construction. In affected versions, some Maven invocations were executed with shell: true. A directory name containing shell metacharacters could therefore be interpreted by the shell instead of being treated only as a filesystem path.
This could allow an attacker who controls a scanned repository to execute commands in the cdxgen process context.
The issue affected both the CLI and server mode. The issue is patched in 12.4.3.
Affected asset
- Project: cdxgen
- Tested version: 12.4.1
- Mode tested: server mode
- Endpoint:
POST /sbom - Scanner path: Java / Maven project scanning
Workarounds
The recommended remediation is to upgrade to 12.4.3 or later.
If immediate upgrade is not possible:
- Do not run cdxgen server mode on untrusted networks.
- Do not expose POST /sbom to unauthenticated or untrusted clients.
- Avoid scanning untrusted Java/Maven repositories.
- Run cdxgen inside a locked-down container or sandbox.
- Remove sensitive environment variables from the cdxgen process environment.
- Use least-privilege filesystem mounts.
- Restrict outbound network access where possible.
Use cdxgen secure/dry-run modes where suitable to inspect planned operations before performing scans.
Configure host and command allowlists where applicable, such as:
- CDXGEN_SERVER_ALLOWED_HOSTS
- CDXGEN_GIT_ALLOWED_HOSTS
- CDXGEN_ALLOWED_COMMANDS
- CDXGEN_SECURE_MODE=true
These mitigations reduce exposure but do not fully address the vulnerable command construction in affected versions.
Threat model clarification
The mitigation added in 12.4.3 applies to the cdxgen process boundary. Specifically, cdxgen now hardens command, option, and path values that cdxgen itself passes to external processes through safeSpawnSync.
This does not mean cdxgen sanitizes every nested path, module name, generated path, or project-controlled value that an external build tool later discovers and interprets inside its own process. Once cdxgen safely invokes Maven, Gradle, Bazel, SBT, or another build tool, that tool’s internal behavior remains a separate trust boundary.
In scope for this fix:
- command and argument values passed directly by cdxgen to child processes;
- cdxgen’s own use of shell: true;
- Maven/Bazel command invocation paths controlled by cdxgen.
Out of scope for this specific mitigation:
- arbitrary nested paths later discovered by Maven itself;
- Maven plugin behavior;
- Maven lifecycle hooks;
- build-tool-specific interpretation of project files after cdxgen has launched the tool.
This residual risk is documented in the cdxgen threat model and is why untrusted project scans should still be run in sandboxed, least-privileged environments.
Detection
Possible indicators of exploitation or probing include:
- Maven module directories containing shell metacharacters such as:
;
&
|
<
>
$
backticks
newlines
- Logs showing settings.xml or pom.xml discovered in suspicious paths.
- Unexpected files created outside the scanned repository during a Java/Maven scan.
- Unexpected child process behavior during cdxgen server scans.
- cdxgen server receiving POST /sbom requests for attacker-controlled Git URLs.
Example suspicious path pattern:
evil;cd${IFS}..;cd${IFS}..;printf${IFS}...>...;#
Credits
Reported-By: @aleff-github
Resources
- Patch PR - https://github.com/cdxgen/cdxgen/pull/4059
Impact
Untrusted input reaches a shell command, allowing arbitrary commands to run on the host. Typical impact: code execution in the application's environment.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
Version 12.4.3 includes hardening for this issue with PR #4059
The patch adds multiple mitigations:
- Maven command invocations no longer use unconditional shell execution on POSIX platforms.
- Bazel command invocation was similarly changed away from unconditional shell execution.
- Windows compatibility is preserved using
shell: isWinwhere needed. safeSpawnSyncnow blocksshell: trueinvocations when the command or direct argument values contain shell metacharacters.- cdxgen does not validate or sanitise every nested directory. The threat model is updated to clarify mitigation scope.
Frequently Asked Questions
- What is GHSA-5VWR-QCHF-Q4PF? GHSA-5VWR-QCHF-Q4PF is a medium-severity OS command injection vulnerability in @cyclonedx/cdxgen (npm), affecting versions < 12.4.3. It is fixed in 12.4.3. Untrusted input reaches a shell command, allowing arbitrary commands to run on the host.
- Which versions of @cyclonedx/cdxgen are affected by GHSA-5VWR-QCHF-Q4PF? @cyclonedx/cdxgen (npm) versions < 12.4.3 is affected.
- Is there a fix for GHSA-5VWR-QCHF-Q4PF? Yes. GHSA-5VWR-QCHF-Q4PF is fixed in 12.4.3. Upgrade to this version or later.
- Is GHSA-5VWR-QCHF-Q4PF exploitable, and should I be worried? Whether GHSA-5VWR-QCHF-Q4PF is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-5VWR-QCHF-Q4PF is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-5VWR-QCHF-Q4PF? Upgrade
@cyclonedx/cdxgento 12.4.3 or later.