CVE-2022-24441
CVE-2022-24441 is a medium-severity vulnerability in Snyk Snyk Cli with a CVSS 3.x base score of 5.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-78.
Key facts
- Severity: Medium (CVSS 3.x base score 5.8)
- EPSS exploit prediction: 1% (49th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-78
- Affected product: Snyk Snyk Cli
- Published:
- Last modified:
Description
The package snyk before 1.1064.0 are vulnerable to Code Injection when analyzing a project. An attacker who can convince a user to scan a malicious project can include commands in a build file such as build.gradle or gradle-wrapper.jar, which will be executed with the privileges of the application. This vulnerability may be triggered when running the the CLI tool directly, or when running a scan with one of the IDE plugins that invoke the Snyk CLI. Successful exploitation of this issue would likely require some level of social engineering - to coerce an untrusted project to be downloaded and analyzed via the Snyk CLI or opened in an IDE where a Snyk IDE plugin is installed and enabled. Additionally, if the IDE has a Trust feature then the target folder must be marked as ‘trusted’ in order to be vulnerable. **NOTE:** This issue is independent of the one reported in [CVE-2022-40764](https://security.snyk.io/vuln/SNYK-JS-SNYK-3037342), and upgrading to a fixed version for this addresses that issue as well. The affected IDE plugins and versions are: - VS Code - Affected: <=1.8.0, Fixed: 1.9.0 - IntelliJ - Affected: <=2.4.47, Fixed: 2.4.48 - Visual Studio - Affected: <=1.1.30, Fixed: 1.1.31 - Eclipse - Affected: <=v20221115.132308, Fixed: All subsequent versions - Language Server - Affected: <=v20221109.114426, Fixed: All subsequent versions
Frequently asked questions
- What is CVE-2022-24441?
- The package snyk before 1.1064.0 are vulnerable to Code Injection when analyzing a project. An attacker who can convince a user to scan a malicious project can include commands in a build file such as build.gradle or gradle-wrapper.jar, which will be executed with the privileges of the application. This vulnerability may be triggered when running the the CLI tool directly, or when running a scan with one of the IDE plugins that invoke the Snyk CLI. Successful exploitation of this issue would likely require some level of social engineering - to coerce an untrusted project to be downloaded and analyzed via the Snyk CLI or opened in an IDE where a Snyk IDE plugin is installed and enabled. Additionally, if the IDE has a Trust feature then the target folder must be marked as ‘trusted’ in order to be vulnerable. **NOTE:** This issue is independent of the one reported in [CVE-2022-40764](https://security.snyk.io/vuln/SNYK-JS-SNYK-3037342), and upgrading to a fixed version for this addresses that issue as well. The affected IDE plugins and versions are: - VS Code - Affected: <=1.8.0, Fixed: 1.9.0 - IntelliJ - Affected: <=2.4.47, Fixed: 2.4.48 - Visual Studio - Affected: <=1.1.30, Fixed: 1.1.31 - Eclipse - Affected: <=v20221115.132308, Fixed: All subsequent versions - Language Server - Affected: <=v20221109.114426, Fixed: All subsequent versions
- How severe is CVE-2022-24441?
- CVE-2022-24441 has a CVSS 3.x base score of 5.8, rated medium severity. It is exploitable over network with high attack complexity, requires no privileges and user interaction. Impact on confidentiality is low, integrity low, and availability low.
- Is CVE-2022-24441 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (49th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2022-24441?
- CVE-2022-24441 primarily affects Snyk Snyk Cli. In total, 6 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2022-24441?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2022-24441 published?
- CVE-2022-24441 was published on 2022-11-30 and last updated on 2026-06-17.
References
- https://github.com/snyk/snyk-eclipse-plugin/commit/b5a8bce25a359ced75f83a729fc6b2393fc9a495
- https://github.com/snyk/snyk-intellij-plugin/commit/56682f4ba6081ce1d95cb980cbfacd3809a826f4
- https://github.com/snyk/snyk-ls/commit/b3229f0142f782871aa72d1a7dcf417546d568ed
- https://github.com/snyk/snyk-visual-studio-plugin/commit/0b53dbbd4a3153c3ef9aaf797af3b5caad0f731a
- https://github.com/snyk/vscode-extension/commit/0db3b4240be0db6a0a5c6d02c0d4231a2c4ba708
- https://security.snyk.io/vuln/SNYK-JS-SNYK-3111871
- https://www.imperva.com/blog/how-scanning-your-projects-for-security-issues-can-lead-to-remote-code-execution/
Affected products (6)
- cpe:2.3:a:snyk:snyk_cli:*:*:*:*:*:*:*:*
- cpe:2.3:a:snyk:snyk_language_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:snyk:snyk_security:*:*:*:*:*:visual_studio:*:*
- cpe:2.3:a:snyk:snyk_security:*:*:*:*:*:visual_studio_code:*:*
- cpe:2.3:a:snyk:snyk_security:*:*:*:*:*:intellij:*:*
- cpe:2.3:a:snyk:snyk_security:*:*:*:*:*:eclipse:*:*
More vulnerabilities in Snyk Snyk Cli
- CVE-2024-48964 — High (CVSS 7.5): The package Snyk CLI before 1.1294.0 is vulnerable to Code Injection when scanning an untrusted Gradle project. The…
- CVE-2024-48963 — High (CVSS 7.5): The package Snyk CLI before 1.1294.0 is vulnerable to Code Injection when scanning an untrusted PHP project. The…
- CVE-2025-6624 — High (CVSS 7.2): Versions of the package snyk before 1.1297.3 are vulnerable to Insertion of Sensitive Information into Log File through…
- CVE-2022-22984 — Medium (CVSS 5.0): The package snyk before 1.1064.0; the package snyk-mvn-plugin before 2.31.3; the package snyk-gradle-plugin before…
All CVEs affecting Snyk Snyk Cli →
Other CWE-78 (OS Command Injection) vulnerabilities
- CVE-2026-56004 — Critical (CVSS 10.0): A shellcode injection in the mercurial handler of the obs tar_scm source service before version 0.12.4 could be used by…
- CVE-2026-56415 — Critical (CVSS 10.0): Storage Concentrator (SC & SCVM) contains a command injection vulnerability within the debug.pl script that is…
- CVE-2026-56413 — Critical (CVSS 10.0): Storage Concentrator (SC & SCVM) contains a command injection vulnerability in the ms_service.pl service, which listens…
- CVE-2026-49869 — Critical (CVSS 10.0): Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in…
- CVE-2026-49261 — Critical (CVSS 10.0): MariaDB server is a community developed fork of MySQL server. Versions 10.6.1 through 10.6.26, 10.11.1 through…
- CVE-2026-10520 — Critical (CVSS 10.0): An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a…