CVE-2025-57285
CRITICALcodeceptjs 3.5.0-3.7.5 - OS Command Injection via emptyFolder Function
Title source: llmDescription
codeceptjs 3.7.3 contains a command injection vulnerability in the emptyFolder function (lib/utils.js). The execSync command directly concatenates the user-controlled directoryPath parameter without sanitization or escaping, allowing attackers to execute arbitrary commands.
References (2)
Core 2
Core References
Exploit, Third Party Advisory
https://gist.github.com/Dremig/1ba111f9b1f7cffe1fcb4838b64e55b9
Product
https://www.npmjs.com
Scores
CVSS v3
9.8
EPSS
0.0292
EPSS Percentile
86.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-77
Status
published
Products (2)
codecept/codeceptjs
3.7.3
npm/codeceptjs
3.5.0 - 3.7.5npm
Published
Sep 08, 2025
Tracked Since
Feb 18, 2026