CVE-2025-57285
Published: 08 September 2025
Summary
CVE-2025-57285 is a critical-severity Command Injection (CWE-77) vulnerability in Codecept Codeceptjs. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 12.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Codeceptjs version 3.7.3 contains a command injection vulnerability in the emptyFolder function within lib/utils.js. The function invokes execSync while directly concatenating the user-supplied directoryPath parameter into the command string without sanitization or escaping, enabling arbitrary command execution and corresponding to CWE-77. The flaw carries a CVSS 3.1 score of 9.8 reflecting network-accessible impact with no required privileges or user interaction.
An unauthenticated remote attacker can supply a malicious directoryPath value to trigger execution of arbitrary operating-system commands, resulting in full confidentiality, integrity, and availability compromise on the host running the affected codeceptjs instance. The current and peak EPSS scores remain at 0.0332 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-27152
Vulnerability details
codeceptjs 3.7.3 contains a command injection vulnerability in the emptyFolder function (lib/utils.js). The execSync command directly concatenates the user-controlled directoryPath parameter without sanitization or escaping, allowing attackers to execute arbitrary commands.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in emptyFolder via unsanitized execSync enables remote arbitrary OS command execution (T1059.004 Unix Shell) on public-facing applications (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the user-controlled directoryPath parameter before concatenation in execSync to prevent command injection.
Mandates identification, reporting, and correction of the specific command injection flaw in codeceptjs 3.7.3.
Facilitates vulnerability scanning to identify deployment of vulnerable codeceptjs versions for timely patching.