CVE-2024-50611
📋 TL;DR
CVE-2024-50611 is a code execution vulnerability in CycloneDX cdxgen where processing untrusted codebases may execute malicious code from build files like build.gradle.kts. This affects users who run cdxgen against untrusted repositories, including those using OWASP dep-scan. The vulnerability stems from a design limitation rather than implementation error.
💻 Affected Systems
- CycloneDX cdxgen
- OWASP dep-scan (when using vulnerable cdxgen)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with the privileges of the cdxgen process, potentially leading to full system compromise, data theft, or lateral movement.
Likely Case
Local code execution when developers analyze untrusted projects, potentially compromising development environments and CI/CD pipelines.
If Mitigated
Limited impact when analyzing only trusted codebases with proper input validation and sandboxing.
🎯 Exploit Status
Exploitation requires the victim to process a malicious codebase. Similar to CVE-2022-24441 pattern.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.10.8 and later
Vendor Advisory: https://github.com/CycloneDX/cdxgen/issues/1328
Restart Required: No
Instructions:
1. Update cdxgen to version 10.10.8 or later using npm update -g @cyclonedx/cdxgen. 2. Verify update with cdxgen --version. 3. Update any dependent tools like dep-scan.
🔧 Temporary Workarounds
Sandbox execution environment
allRun cdxgen in isolated containers or sandboxes with minimal privileges
docker run --read-only --cap-drop=ALL -v $(pwd):/src:ro cyclonedx/cdxgen
Restrict file processing
allOnly process trusted codebases and validate build files before analysis
🧯 If You Can't Patch
- Only analyze trusted codebases from verified sources
- Run cdxgen with minimal user privileges and in isolated environments
🔍 How to Verify
Check if Vulnerable:
Check cdxgen version with 'cdxgen --version' or 'npm list -g @cyclonedx/cdxgen'. Versions ≤10.10.7 are vulnerable.Check Version:
cdxgen --versionVerify Fix Applied:
Confirm version is 10.10.8 or higher with 'cdxgen --version'.📡 Detection & Monitoring
Log Indicators:
- Unexpected process execution from cdxgen
- Build file parsing errors in cdxgen logs
- Unusual file system or network activity during SBOM generation
Network Indicators:
- Outbound connections from cdxgen process to unexpected destinations
- DNS requests for suspicious domains during analysis
SIEM Query:
process_name:"cdxgen" AND (process_cmdline:"*build.gradle*" OR process_cmdline:"*build.*")