Uncontrolled Search Path Element Affecting @salesforce/cli package, versions <2.106.6
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-SALESFORCECLI-13011148
- published23 Sept 2025
- disclosed23 Sept 2025
- creditUnknown
Introduced: 23 Sep 2025
NewCVE-2025-9844 (opens in a new tab)How to fix?
Upgrade @salesforce/cli to version 2.106.6 or higher.
Overview
@salesforce/cli is a The Salesforce CLI
Affected versions of this package are vulnerable to Uncontrolled Search Path Element via the Replace Trusted Executable feature. An attacker can execute arbitrary code by placing a malicious executable in a directory that is searched before the intended trusted executable.
Note:
This vulnerability affects only those customers who downloaded the software from an untrusted source, rather than directly from the official Salesforce site. Untrusted downloads may contain a malicious file in the local directory, which could be executed instead of the legitimate files in the specified file path.