CVE-2022-21186
Published: 05 August 2022
Summary
CVE-2022-21186 is a critical-severity an unspecified weakness vulnerability in Acrontum Filesystem-Template. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 8.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The package @acrontum/filesystem-template before version 0.0.2 contains an arbitrary command injection vulnerability in its fetchRepo API. The flaw stems from missing sanitization of the href field supplied via external input, allowing untrusted values to reach command execution paths. The issue received a CVSS 3.1 base score of 9.8.
An unauthenticated attacker with network access can supply a crafted href value to the fetchRepo function and execute arbitrary commands on the host. Successful exploitation yields full control over confidentiality, integrity, and availability of the affected system without requiring user interaction or privileges.
The referenced GitHub commit in pull request 14 and the associated Snyk advisory document the remediation, which is included in release 0.0.2 and later. Users are advised to upgrade the package to close the injection vector.
EPSS for the CVE rose from a low baseline to a peak of 0.1116 on 2025-12-11 before receding to the current value of 0.0665, indicating that exploitation interest increased after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-6583
Vulnerability details
The package @acrontum/filesystem-template before 0.0.2 are vulnerable to Arbitrary Command Injection due to the fetchRepo API missing sanitization of the href field of external input.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.