{"vulnerability": "cve-2025-63706", "sightings": [{"uuid": "e86e92f8-0137-409f-89ba-bf48237ffc8c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-63706", "type": "seen", "source": "https://gist.github.com/6en6ar/607368f1fc8fe429f03c6e0d9486ba72", "content": "\nProduct: https://www.npmjs.com/package/@jswork/next-npm-version\nVersion: v1.0.1\nVulnerability type: Command injection inside @jswork/next-npm-version through version 1.0.1\nCVE ID: CVE-2025-63706\n\nDescription: \nNPM package next-npm-version through function nx.npmVersion defined on line 19. inside index.js does not properly sanitize inName variable before it is passed to execSync which executes a command using npm show.\nAn attacker is able to inject code when calling npmVersion function to check the version of the npm package. This is possible because the code is not sanitizing inName variable before it is  passed to child_process execSync. \nThis code uses npm show to cli command to execute the code.\n\nPayload used:\n\n> import '@jswork/next-npm-version';\n>\n> console.log(nx.npmVersion('node-ts-ocr && id #'));\n> // '2.6.0'\n>\n> This executes the 'id' command.", "creation_timestamp": "2026-05-06T19:59:28.000000Z"}]}