CVE-2022-22984
Command Injection vulnerability in snyk (npm)

Command Injection No known exploit

What is CVE-2022-22984 About?

Multiple Snyk packages, including `snyk` before 1.1064.0 and several Snyk plugins, are vulnerable to Command Injection due to an incomplete fix for a previous issue. This allows attackers to run arbitrary commands on the host system where the Snyk CLI is installed by passing crafted command line flags. Exploitation requires user interaction with untrusted files.

Affected Software

  • snyk
    • <1.1064.0
  • snyk-mvn-plugin
    • <2.31.3
  • snyk-sbt-plugin
    • <2.16.2
  • snyk-python-plugin
    • <1.24.2
  • @snyk/snyk-hex-plugin
    • <1.1.6
  • snyk-gradle-plugin
    • <3.24.5
  • snyk-docker-plugin
    • <5.6.5
  • @snyk/snyk-cocoapods-plugin
    • <2.5.3

Technical Details

Various Snyk packages, including the core snyk CLI and multiple ecosystem plugins (e.g., snyk-mvn-plugin, snyk-gradle-plugin), are susceptible to a Command Injection vulnerability. This vulnerability is a result of an incomplete fix for CVE-2022-40764. The flaw allows an attacker to inject and execute arbitrary commands on the host system where the Snyk CLI is installed. This is achieved by crafting malicious command-line flags that, when processed by the Snyk tools (specifically when running snyk test on untrusted files), bypass internal sanitization and lead to the execution of attacker-controlled commands. While direct exploitation might be difficult if an attacker can't control CLI arguments, it can be abused in Continuous Integration (CI) pipelines where developers might parameterize arguments to the Snyk CLI, making it a vector for a wider supply chain attack.

What is the Impact of CVE-2022-22984?

Successful exploitation may allow attackers to execute arbitrary commands on the host system with the privileges of the Snyk CLI process, potentially leading to full system compromise, data exfiltration, or further lateral movement.

What is the Exploitability of CVE-2022-22984?

Exploitation complexity is moderate. It requires crafting specific command-line flags and a user executing the snyk test command on untrusted files or similar affected operations. No direct authentication is required to the Snyk CLI itself, but the attacker needs a mechanism to influence the command-line arguments. This is a local vulnerability in terms of the Snyk CLI execution, but it can be triggered remotely if an attacker can provide crafted input (e.g., untrusted files) to a CI pipeline or a system using the Snyk tools. The critical prerequisite is that the Snyk tools are used in an environment where untrusted input can translate into command-line arguments. Risk factors include environments like CI/CD where build scripts use parameterized Snyk commands or developers frequently run snyk test on externally provided project files.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2022-22984?

Available Upgrade Options

  • snyk-mvn-plugin
    • <2.31.3 → Upgrade to 2.31.3
  • snyk
    • <1.1064.0 → Upgrade to 1.1064.0
  • @snyk/snyk-hex-plugin
    • <1.1.6 → Upgrade to 1.1.6
  • snyk-python-plugin
    • <1.24.2 → Upgrade to 1.24.2
  • snyk-docker-plugin
    • <5.6.5 → Upgrade to 5.6.5
  • @snyk/snyk-cocoapods-plugin
    • <2.5.3 → Upgrade to 2.5.3
  • snyk-sbt-plugin
    • <2.16.2 → Upgrade to 2.16.2
  • snyk-gradle-plugin
    • <3.24.5 → Upgrade to 3.24.5

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2022-22984?

Similar Vulnerabilities: CVE-2022-40764 , CVE-2021-4113 , CVE-2020-5247 , CVE-2020-11008 , CVE-2016-10531

All Rights reserved 2025
Privacy Policy