CVE-2026-55849
CycloneDX · cyclonedx-node-npm
The @cyclonedx/cyclonedx-npm package is vulnerable to OS Command Injection, allowing an attacker to execute arbitrary commands during the generation of Software Bill of Materials (SBOM).
Executive summary
A high-severity OS command injection vulnerability in @cyclonedx/cyclonedx-npm could allow an attacker to execute arbitrary code on systems generating SBOMs.
Vulnerability
This is an OS Command Injection vulnerability (CWE-78) where improper neutralization of special elements allows attackers to inject and execute system commands. The attack vector requires a user to trigger the tool, typically in a development or build environment.
Business impact
An attacker who successfully exploits this vulnerability can execute arbitrary commands with the privileges of the user running the npm project build process. This could result in the theft of environment variables, source code, or the compromise of build servers, justifying the high CVSS score of 8.5.
Remediation
Immediate Action: Update the @cyclonedx/cyclonedx-npm package to version 5.0.0 or higher to resolve the command injection flaw.
Proactive Monitoring: Audit build pipelines for unusual process execution or network activity originating from the SBOM generation task.
Compensating Controls: Run SBOM generation processes in ephemeral, low-privilege containers to limit the impact of potential command execution.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Security teams should audit their Node.js project dependencies to identify and update any instances of the vulnerable package. Patching is critical to ensure that build environments do not become an entry point for lateral movement or data exfiltration.