CVE-2022-30284
Published: 04 May 2022
Summary
CVE-2022-30284 is a critical-severity Argument Injection (CWE-88) vulnerability in Python-Libnmap Project Python-Libnmap. Its CVSS base score is 9.0 (Critical).
Operationally, ranked in the top 5.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The vulnerability is a command injection flaw, tracked as CWE-88, in the python-libnmap package for Python through version 0.7.2. It affects the NmapProcess class when an application passes attacker-controlled data directly into Nmap arguments without validation, enabling remote command execution on the host running the Python code.
An unauthenticated remote attacker can exploit the issue by supplying crafted input over the network to any client application that uses python-libnmap in this manner. Successful exploitation grants the attacker the ability to execute arbitrary operating-system commands with the privileges of the vulnerable process, potentially leading to full system compromise.
Vendor statements in the package documentation and release notes emphasize that calling NmapProcess with untrusted network data is not an intended or documented use case, and they consider the high CVSS rating unrealistic. No official patches were issued; the project instead recommends that integrators perform their own argument validation before invoking the library.
EPSS scores for the CVE rose from low values after disclosure to a peak of 0.3147 in late 2025 before receding to the current 0.1421, indicating measurable post-disclosure interest in exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-0220
Vulnerability details
In the python-libnmap package through 0.7.2 for Python, remote command execution can occur (if used in a client application that does not validate arguments). NOTE: the vendor believes it would be unrealistic for an application to call NmapProcess with arguments…
more
taken from input data that arrived over an untrusted network, and thus the CVSS score corresponds to an unrealistic use case. None of the NmapProcess documentation implies that this is an expected use case
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.