CVE-2025-63706
Deferred Deferred - Pending Action
Command Injection in next-npm-version

Publication date: 2026-05-07

Last updated on: 2026-05-08

Assigner: MITRE

Description
NPM package next-npm-version1.0.1 is vulnerable to Command injection.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-07
Last Modified
2026-05-08
Generated
2026-06-17
AI Q&A
2026-05-07
EPSS Evaluated
2026-06-15
NVD
CVE-2025-63706
EUVD
EUVD-2025-209724
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
afeiship next-npm-version 1.0.1
jswork next-npm-version to 1.0.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate the command injection vulnerability in the next-npm-version package, you should avoid using or passing untrusted input to the nx.npmVersion function, especially the inName parameter, as it is not properly sanitized before being executed.

If possible, update or patch the package to a version where this vulnerability is fixed. If no fixed version is available, consider temporarily removing or disabling the use of the vulnerable function to prevent exploitation.

Additionally, review and restrict permissions on systems using this package to limit the impact of any potential exploitation.

Compliance Impact

The provided information does not specify how the command injection vulnerability in the next-npm-version package affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2025-63706 is a command injection vulnerability in the NPM package next-npm-version version 1.0.1. The vulnerability arises because the variable used to specify the package name (referred to as iName or inName) is not properly sanitized before being passed to the execSync function, which executes system commands.

This lack of input validation allows an attacker to inject malicious commands that get executed on the system. For example, an attacker could pass a specially crafted string that includes additional commands, causing arbitrary system commands to run with the privileges of the process using the package.

Impact Analysis

This vulnerability can lead to unauthorized execution of arbitrary system commands on the affected system. An attacker exploiting this flaw could run malicious commands, potentially leading to system compromise, data theft, or disruption of services.

The impact depends on the privileges of the process running the vulnerable package, but it generally poses a serious security risk as it allows command injection through unsanitized input.

Detection Guidance

This vulnerability can be detected by testing the `nx.npmVersion` function with inputs that include command injection payloads to see if arbitrary commands are executed.

For example, you can try running the function with a payload such as '@jswork/next-js-core2 && id #' or 'node-ts-ocr && id #' as the input to check if the 'id' command is executed, indicating the vulnerability.

Since the vulnerability involves the `execSync` function executing unsanitized input, monitoring system logs or command execution traces for unexpected commands triggered by the `nx.npmVersion` function can also help detect exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-63706. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart