Primary

Context

Codeceptjs Command Injection Vulnerability in EmptyFolder Function

Vulnerability

A command injection vulnerability has been identified in Codeceptjs version 3.7.3. The issue arises in the emptyFolder function within lib/utils.js, where the execSync command improperly concatenates the user-controlled directoryPath parameter without adequate sanitization or escaping. This flaw enables attackers to execute arbitrary commands.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server where Codeceptjs is running.

Reproduction

To reproduce this vulnerability, create a malicious configuration object that includes a crafted output path. The path should be designed to exploit the command injection vulnerability by appending a command after a semicolon. Then, initialize a Codecept instance with this configuration and call the emptyFolder function. The injected command will be executed, demonstrating the command injection vulnerability.

Added: Sep 8, 2025, 6:17 PM

Updated: Sep 8, 2025, 8:23 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.7

remediation

0.0

relevance

0.5

threat

6.5

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.7

remediation

0.0

relevance

0.5

threat

6.5

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Codeceptjs Command Injection Vulnerability in EmptyFolder Function

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating