A critical command injection vulnerability, identified as CVE-2025-57285 with a CVSS score of 9.8, has been discovered in the codeceptjs testing framework. This flaw allows an unauthenticated attacker to execute arbitrary commands on the underlying system by supplying a specially crafted input. Successful exploitation could lead to a complete system compromise, resulting in data theft, service disruption, or further network intrusion.

The vulnerability exists within the emptyFolder function located in lib/utils.js. This function uses the execSync command to execute a shell command intended to clear a directory. However, the user-controlled directoryPath parameter is directly concatenated into this command without proper sanitization or escaping. An attacker can inject arbitrary shell commands by crafting a malicious directoryPath string (e.g., "/path/to/folder; malicious_command"), which will then be executed with the permissions of the user running the codeceptjs process.

This vulnerability is rated as critical severity with a CVSS score of 9.8, indicating a high potential for significant damage. Exploitation could grant an attacker full control over the affected server or workstation, leading to severe consequences such as the theft of sensitive data, deployment of ransomware, manipulation of critical system files, or using the compromised system as a pivot point to attack other internal network resources. The risk to data confidentiality, integrity, and availability is extremely high, posing a direct threat to business operations and security.

Immediate Action: Immediately identify all systems running the vulnerable versions of codeceptjs and update them to the latest patched version as recommended by the vendor. After patching, review system and application logs for any signs of suspicious activity or potential exploitation that may have occurred prior to the update.

Proactive Monitoring: Implement enhanced monitoring on systems where codeceptjs is installed. Look for unusual child processes being spawned by the Node.js process running codeceptjs. Monitor shell command execution logs for unexpected commands, especially those containing metacharacters like semicolons (;), pipes (|), or ampersands (&&). Scrutinize outbound network traffic from these systems for connections to unknown or malicious destinations.

Compensating Controls: If immediate patching is not feasible, apply the principle of least privilege by ensuring the codeceptjs process runs with a dedicated, low-privilege user account. Implement strict input validation on any data passed to the emptyFolder function to sanitize potentially malicious characters. If applicable, use a Web Application Firewall (WAF) to filter malicious patterns in user-supplied input before it reaches the application.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the ease of exploitation, this vulnerability represents a severe and immediate risk to the organization. We strongly recommend that all affected instances of codeceptjs be patched on an emergency basis. Although this vulnerability is not currently listed on the CISA KEV (Known Exploited Vulnerabilities) catalog, its critical nature makes it a prime target for future exploitation. Remediation should be a top priority for all relevant system administrators and development teams.