Vulnerability Database

308,485

Total vulnerabilities in the database

CVE-2025-57285

codeceptjs 3.7.3 contains a command injection vulnerability in the emptyFolder function (lib/utils.js). The execSync command directly concatenates the user-controlled directoryPath parameter without sanitization or escaping, allowing attackers to execute arbitrary commands.

Published: Sep 8, 2025
Updated: Nov 17, 2025
CVE: CVE-2025-57285
GHSA: GHSA-34w8-mcwr-vg29
Severity: Critical
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-77

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
codeceptjs	3.5.0	3.7.5
codecept / codeceptjs	3.7.3	3.7.3.x

https://gist.github.com/Dremig/1ba111f9b1f7cffe1fcb4838b64e55b9
https://github.com/codeceptjs/CodeceptJS/pull/3604
https://github.com/codeceptjs/CodeceptJS/pull/5190
https://www.npmjs.com

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo