CVE-2025-63706
Command Injection in next-npm-version
Publication date: 2026-05-07
Last updated on: 2026-05-08
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| afeiship | next-npm-version | 1.0.1 |
| jswork | next-npm-version | to 1.0.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the command injection vulnerability in the next-npm-version package affects compliance with common standards and regulations such as GDPR or HIPAA.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the command injection vulnerability in the next-npm-version package, you should avoid using or passing untrusted input to the nx.npmVersion function, especially the inName parameter, as it is not properly sanitized before being executed.
If possible, update or patch the package to a version where this vulnerability is fixed. If no fixed version is available, consider temporarily removing or disabling the use of the vulnerable function to prevent exploitation.
Additionally, review and restrict permissions on systems using this package to limit the impact of any potential exploitation.
Can you explain this vulnerability to me?
CVE-2025-63706 is a command injection vulnerability in the NPM package next-npm-version version 1.0.1. The vulnerability arises because the variable used to specify the package name (referred to as iName or inName) is not properly sanitized before being passed to the execSync function, which executes system commands.
This lack of input validation allows an attacker to inject malicious commands that get executed on the system. For example, an attacker could pass a specially crafted string that includes additional commands, causing arbitrary system commands to run with the privileges of the process using the package.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized execution of arbitrary system commands on the affected system. An attacker exploiting this flaw could run malicious commands, potentially leading to system compromise, data theft, or disruption of services.
The impact depends on the privileges of the process running the vulnerable package, but it generally poses a serious security risk as it allows command injection through unsanitized input.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the `nx.npmVersion` function with inputs that include command injection payloads to see if arbitrary commands are executed.
For example, you can try running the function with a payload such as '@jswork/next-js-core2 && id #' or 'node-ts-ocr && id #' as the input to check if the 'id' command is executed, indicating the vulnerability.
Since the vulnerability involves the `execSync` function executing unsanitized input, monitoring system logs or command execution traces for unexpected commands triggered by the `nx.npmVersion` function can also help detect exploitation attempts.