CVE-2022-25853 – CVE-2022-25853 is a command injection vulnerabi... (How to Fix)

Q: What is the severity of CVE-2022-25853?

CVE-2022-25853 has a CVSS score of 7.4 (HIGH). CVE-2022-25853 is a command injection vulnerability in the semver-tags npm package that allows attackers to execute arbitrary commands on the host system. The vulnerability exists in the getGitTagsRemote function due to improper input sanitization. Anyone using the semver-tags package in their Node.js applications is affected.

📋 TL;DR

CVE-2022-25853 is a command injection vulnerability in the semver-tags npm package that allows attackers to execute arbitrary commands on the host system. The vulnerability exists in the getGitTagsRemote function due to improper input sanitization. Anyone using the semver-tags package in their Node.js applications is affected.

💻 Affected Systems

Products:

semver-tags

Versions: All versions

Operating Systems: All operating systems running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability affects all versions of semver-tags. The package must be used in a way that calls the vulnerable getGitTagsRemote function with untrusted input.

📦 What is this software?

Semver Tags by Semver Tags Project

View all CVEs affecting Semver Tags →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing remote code execution, data theft, lateral movement, and complete control of the affected system.

🟠

Likely Case

Arbitrary command execution with the privileges of the Node.js process, potentially leading to data exfiltration, service disruption, or installation of malware.

🟢

If Mitigated

Limited impact due to proper input validation, sandboxing, or minimal privileges, potentially resulting in failed exploitation or limited command execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the attacker to control input to the getGitTagsRemote function. The vulnerability is well-documented with public proof-of-concept examples available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specifically versioned - package appears unmaintained

Vendor Advisory: https://security.snyk.io/vuln/SNYK-JS-SEMVERTAGS-3175612

Restart Required: No

Instructions:

1. Remove semver-tags from your project dependencies. 2. Use an alternative package for semantic version tag management. 3. Run npm audit fix if applicable. 4. Rebuild and redeploy your application.

🔧 Temporary Workarounds

Input Validation Wrapper

all

Create a wrapper function that validates and sanitizes all input before passing to getGitTagsRemote

// JavaScript implementation required - no single command

Package Replacement

all

Replace semver-tags with a maintained alternative like conventional-changelog or standard-version

npm uninstall semver-tags
npm install conventional-changelog --save-dev

🧯 If You Can't Patch

Implement strict input validation and sanitization for all parameters passed to semver-tags functions
Run Node.js process with minimal privileges and in a sandboxed/containerized environment

🔍 How to Verify

Check if Vulnerable:

Check package.json for semver-tags dependency: grep -r 'semver-tags' package.json

Check Version:

npm list semver-tags

Verify Fix Applied:

Verify semver-tags is no longer in package.json and node_modules: npm list semver-tags

📡 Detection & Monitoring

Log Indicators:

Unusual command execution patterns in system logs
Node.js process spawning unexpected child processes
Git command execution with suspicious parameters

Network Indicators:

Unexpected outbound connections from Node.js process
DNS requests to suspicious domains following command execution

SIEM Query:

process.name:node AND child_process.name:(sh OR bash OR cmd) AND -process.args:(expected-git-command)

📊 Metadata

CVE ID: CVE-2022-25853

CVSS v3 Score: 7.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: February 6, 2023

Last Updated: March 25, 2025

🔗 References

https://github.com/jtrussell/semver-tags/blob/db1ba680bafed0d51e1bb36bd38f2c5439fe8b00/lib/get-tags.js%23L21 Broken Link
https://security.snyk.io/vuln/SNYK-JS-SEMVERTAGS-3175612 Exploit,Third Party Advisory
https://github.com/jtrussell/semver-tags/blob/db1ba680bafed0d51e1bb36bd38f2c5439fe8b00/lib/get-tags.js%23L21 Broken Link
https://security.snyk.io/vuln/SNYK-JS-SEMVERTAGS-3175612 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-25853, you might also want to check these: