Cyber Resilience

CVE-2025-57285

CriticalPublic PoCRCE

Published: 08 September 2025

Published
08 September 2025
Modified
12 September 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0332 87.5th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-57285 is a critical-severity Command Injection (CWE-77) vulnerability in Codecept Codeceptjs. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 12.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Codeceptjs version 3.7.3 contains a command injection vulnerability in the emptyFolder function within lib/utils.js. The function invokes execSync while directly concatenating the user-supplied directoryPath parameter into the command string without sanitization or escaping, enabling arbitrary command execution and corresponding to CWE-77. The flaw carries a CVSS 3.1 score of 9.8 reflecting network-accessible impact with no required privileges or user interaction.

An unauthenticated remote attacker can supply a malicious directoryPath value to trigger execution of arbitrary operating-system commands, resulting in full confidentiality, integrity, and availability compromise on the host running the affected codeceptjs instance. The current and peak EPSS scores remain at 0.0332 with no material increase after disclosure.

EU & UK References

Vulnerability details

codeceptjs 3.7.3 contains a command injection vulnerability in the emptyFolder function (lib/utils.js). The execSync command directly concatenates the user-controlled directoryPath parameter without sanitization or escaping, allowing attackers to execute arbitrary commands.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection in emptyFolder via unsanitized execSync enables remote arbitrary OS command execution (T1059.004 Unix Shell) on public-facing applications (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-4048Shared CWE-77
CVE-2026-31059Shared CWE-77
CVE-2026-22284Shared CWE-77
CVE-2024-39783Shared CWE-77
CVE-2024-57583Shared CWE-77
CVE-2026-46368Shared CWE-77
CVE-2024-39781Shared CWE-77
CVE-2024-39367Shared CWE-77
CVE-2026-3518Shared CWE-77
CVE-2024-57590Shared CWE-77

Affected Assets

codecept
codeceptjs
3.7.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the user-controlled directoryPath parameter before concatenation in execSync to prevent command injection.

prevent

Mandates identification, reporting, and correction of the specific command injection flaw in codeceptjs 3.7.3.

detect

Facilitates vulnerability scanning to identify deployment of vulnerable codeceptjs versions for timely patching.

References