CVE-2026-55849 in cyclonedx-node-npm
Summary
by MITRE • 07/09/2026
@cyclonedx/cyclonedx-npm creates CycloneDX Software Bill of Materials from npm projects. From 2.1.0 before 5.0.0, the CLI passes user-supplied --workspace values to a subshell without proper sanitization when npm_execpath is unset or empty, allowing arbitrary OS command execution with the privileges of the invoking user. This issue is fixed in version 5.0.0.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/09/2026
The vulnerability exists within the @cyclonedx/cyclonedx-npm package ecosystem where command line interface functionality fails to properly sanitize user-supplied workspace parameters before executing shell commands. This flaw specifically manifests when the npm_execpath environment variable is either unset or empty, creating a dangerous execution path that allows arbitrary operating system command injection. The affected versions span from 2.1.0 through 4.9.9, representing a significant attack surface for malicious actors seeking to exploit this weakness in software supply chain security tools.
The technical implementation of this vulnerability stems from improper input validation and shell command construction within the package's CLI processing logic. When users provide --workspace arguments to the cyclonedx-npm command, these values are directly incorporated into shell execution contexts without appropriate sanitization or escaping mechanisms. This pattern violates fundamental security principles for handling untrusted input in executable contexts and creates a direct pathway for privilege escalation attacks. The vulnerability is classified under CWE-78 as improper neutralization of special elements used in operating system commands, which represents one of the most critical categories of injection flaws in software systems.
The operational impact of this vulnerability extends beyond simple command execution to encompass complete system compromise when exploited by adversaries. An attacker who can influence the --workspace parameter through legitimate means or by manipulating project configurations could execute arbitrary code with the same privileges as the invoking user. This risk becomes particularly severe in automated build environments, continuous integration pipelines, or when the tool is executed with elevated permissions. The vulnerability directly aligns with ATT&CK technique T1059.001 for command and scripting interpreter execution, providing a vector for lateral movement and persistence within affected systems.
Organizations utilizing npm-based projects that rely on cyclonedx-npm for software bill of materials generation face significant exposure until the vulnerability is patched. The fix implemented in version 5.0.0 addresses this by introducing proper input sanitization and validation mechanisms before shell command execution. Security practitioners should prioritize updating to version 5.0.0 or later, while also implementing additional safeguards such as restricting npm package installations from untrusted sources and monitoring for anomalous command execution patterns in system logs. The vulnerability demonstrates the critical importance of input validation in security-sensitive tools and highlights the potential consequences of insufficient sanitization of user-supplied parameters in build and dependency management systems.