CVE-2024-48963

HIGH

Snyk CLI < 1.1294.0 - Code Injection via Current Working Directory Name

Title source: llm

Description

The package Snyk CLI before 1.1294.0 is vulnerable to Code Injection when scanning an untrusted PHP project. The vulnerability can be triggered if Snyk test is run inside the untrusted project due to the improper handling of the current working directory name. Snyk recommends only scanning trusted projects.

References (1)

Core 1

Core References

Release Notes

https://github.com/snyk/snyk-php-plugin/releases/tag/v1.10.0

Scores

CVSS v3 7.5

EPSS 0.0014

EPSS Percentile 33.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (2)

npm/snyk-php-plugin 0 - 1.10.0npm

snyk/snyk_cli < 1.1294.0

Published Oct 23, 2024

Tracked Since Feb 18, 2026