Aikido Intel
Secure My Code
Intel

AIKIDO-2026-10556

@cyclonedx/cdxgen is vulnerable to OS command execution

OS command execution Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Apr 27, 2026

88

High Risk

This Affects:

JS@cyclonedx/cdxgen
11.4.2 - 12.2.0
Fixed in 12.2.1
Are you affected? Scan for Free

TL;DR

In server mode, cdxgen can clone a remote repository path passed in the request. Before the change, the internal gitClone helper could allow Git to run standard clone-time hook or template materialization behavior that runs host-side scripts while cloning an attacker-influenced repository, which in that server context can lead to arbitrary code execution. The fix supplies Git with -c core.hooksPath=/dev/null and an empty --template=, always sets GIT_TERMINAL_PROMPT=0 for the child process, and in secure server mode also points GIT_CONFIG_GLOBAL to /dev/null so the clone runs without pulling in the prior global config handling path.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

@cyclonedx/cdxgen is vulnerable to OS command execution in versions 11.4.2 - 12.2.0.

How to fix this

Upgrade the @cyclonedx/cdxgen library to the patch version.

Links

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done