In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsLearn about Arbitrary Argument Injection vulnerabilities in an interactive lesson.
Start learningUpgrade @cyclonedx/cdxgen to version 12.4.3 or higher.
@cyclonedx/cdxgen is a Creates CycloneDX Software Bill of Materials (SBOM) from source or container image
Affected versions of this package are vulnerable to Arbitrary Argument Injection via the Maven project scanning process. An attacker can execute arbitrary shell commands by submitting a repository with module paths containing shell metacharacters, which are interpreted by the shell during command construction. This can lead to execution of unintended commands in the process context when scanning attacker-controlled Maven projects in both CLI and server modes.
This vulnerability can be mitigated by avoiding running the server mode on untrusted networks, not exposing the POST /sbom endpoint to unauthenticated or untrusted clients, avoiding scanning untrusted Java/Maven repositories, running the process inside a locked-down container or sandbox, removing sensitive environment variables, using least-privilege filesystem mounts, restricting outbound network access, using secure/dry-run modes, and configuring host and command allowlists.