CVE-2022-42002

CRITICAL

sonicjs < 0.6.0 - Unauthenticated Arbitrary File Write and Delete via fileCreate and fileUpdate Mutations

Title source: llm
STIX 2.1

Description

SonicJS through 0.6.0 allows file overwrite. It has the following mutations that are used for updating files: fileCreate and fileUpdate. Both of these mutations can be called without any authentication to overwrite any files on a SonicJS application, leading to Arbitrary File Write and Delete.

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/blog/graphql-security-static-analysis-snyk-code/
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/lane711/sonicjs/tags

Scores

CVSS v3 9.1
EPSS 0.0104
EPSS Percentile 59.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Details

CWE
CWE-787
Status published
Products (1)
sonicjs/sonicjs < 0.6.0
Published Oct 01, 2022
Tracked Since Feb 18, 2026