CVE-2024-50611: n/a
CVE-2024-50611 is a high-severity vulnerability in CycloneDX cdxgen (up to version 10. 10. 7) that allows code execution when run against untrusted codebases containing malicious build-related files such as build. gradle. kts. This issue is similar to CVE-2022-24441 and arises from a design limitation rather than a coding error. Exploitation requires the attacker to supply a crafted codebase and the user to run cdxgen with elevated privileges, as the vulnerability demands high privileges and no user interaction. The vulnerability impacts the confidentiality, integrity, and availability of affected systems by enabling arbitrary code execution. Although no known exploits are currently in the wild, organizations using cdxgen, including those leveraging OWASP dep-scan, should treat this vulnerability seriously. Mitigation involves avoiding running cdxgen on untrusted codebases, restricting execution privileges, and monitoring for suspicious build files.
AI Analysis
Technical Summary
CVE-2024-50611 is a vulnerability affecting CycloneDX cdxgen versions through 10.10.7. The vulnerability allows an attacker to execute arbitrary code when cdxgen is run against an untrusted codebase containing malicious build-related files, such as build.gradle.kts scripts. This occurs because cdxgen processes these build files in a manner that can trigger code execution, a behavior similar to the previously reported CVE-2022-24441. The root cause is identified as a design limitation rather than a coding error, meaning the tool inherently trusts and executes code from build files without sufficient isolation or sanitization. The vulnerability requires the user to run cdxgen with high privileges (PR:H) and does not require user interaction (UI:N). The attack vector is network-based (AV:N), implying that an attacker can supply a malicious codebase remotely or via a repository. The vulnerability impacts confidentiality, integrity, and availability (C:H/I:H/A:H) by enabling arbitrary code execution, potentially leading to full system compromise. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The affected tool, cdxgen, is used in software supply chain security processes, including by OWASP dep-scan, making this vulnerability relevant to organizations relying on these tools for dependency scanning and SBOM generation.
Potential Impact
The vulnerability poses a significant risk to organizations that use CycloneDX cdxgen for software bill of materials (SBOM) generation or dependency scanning, especially when analyzing untrusted or external codebases. Successful exploitation can lead to arbitrary code execution with the privileges of the user running cdxgen, potentially resulting in full system compromise, data theft, or disruption of software supply chain processes. This can undermine the integrity of software supply chain security efforts, allowing attackers to inject malicious code or disrupt build pipelines. Organizations relying on automated scanning tools in CI/CD environments are particularly vulnerable if these tools process untrusted inputs without adequate isolation. The impact extends to confidentiality, integrity, and availability, making this a critical concern for software development and security teams worldwide.
Mitigation Recommendations
1. Avoid running cdxgen against untrusted or external codebases unless in a fully isolated and sandboxed environment. 2. Run cdxgen with the least privileges necessary, never with administrative or root privileges. 3. Implement strict access controls and codebase validation before scanning to ensure only trusted code is processed. 4. Use containerization or virtual machines to isolate the scanning process from critical infrastructure. 5. Monitor build-related files such as build.gradle.kts for unexpected or suspicious modifications. 6. Follow updates from CycloneDX maintainers for patches or design changes addressing this limitation. 7. Integrate additional security checks in CI/CD pipelines to detect anomalous behavior during dependency scanning. 8. Educate developers and security teams about the risks of processing untrusted code with tools that execute build scripts.
Affected Countries
United States, Germany, Japan, United Kingdom, France, Canada, Australia, Netherlands, South Korea, India
CVE-2024-50611: n/a
Description
CVE-2024-50611 is a high-severity vulnerability in CycloneDX cdxgen (up to version 10. 10. 7) that allows code execution when run against untrusted codebases containing malicious build-related files such as build. gradle. kts. This issue is similar to CVE-2022-24441 and arises from a design limitation rather than a coding error. Exploitation requires the attacker to supply a crafted codebase and the user to run cdxgen with elevated privileges, as the vulnerability demands high privileges and no user interaction. The vulnerability impacts the confidentiality, integrity, and availability of affected systems by enabling arbitrary code execution. Although no known exploits are currently in the wild, organizations using cdxgen, including those leveraging OWASP dep-scan, should treat this vulnerability seriously. Mitigation involves avoiding running cdxgen on untrusted codebases, restricting execution privileges, and monitoring for suspicious build files.
AI-Powered Analysis
Technical Analysis
CVE-2024-50611 is a vulnerability affecting CycloneDX cdxgen versions through 10.10.7. The vulnerability allows an attacker to execute arbitrary code when cdxgen is run against an untrusted codebase containing malicious build-related files, such as build.gradle.kts scripts. This occurs because cdxgen processes these build files in a manner that can trigger code execution, a behavior similar to the previously reported CVE-2022-24441. The root cause is identified as a design limitation rather than a coding error, meaning the tool inherently trusts and executes code from build files without sufficient isolation or sanitization. The vulnerability requires the user to run cdxgen with high privileges (PR:H) and does not require user interaction (UI:N). The attack vector is network-based (AV:N), implying that an attacker can supply a malicious codebase remotely or via a repository. The vulnerability impacts confidentiality, integrity, and availability (C:H/I:H/A:H) by enabling arbitrary code execution, potentially leading to full system compromise. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The affected tool, cdxgen, is used in software supply chain security processes, including by OWASP dep-scan, making this vulnerability relevant to organizations relying on these tools for dependency scanning and SBOM generation.
Potential Impact
The vulnerability poses a significant risk to organizations that use CycloneDX cdxgen for software bill of materials (SBOM) generation or dependency scanning, especially when analyzing untrusted or external codebases. Successful exploitation can lead to arbitrary code execution with the privileges of the user running cdxgen, potentially resulting in full system compromise, data theft, or disruption of software supply chain processes. This can undermine the integrity of software supply chain security efforts, allowing attackers to inject malicious code or disrupt build pipelines. Organizations relying on automated scanning tools in CI/CD environments are particularly vulnerable if these tools process untrusted inputs without adequate isolation. The impact extends to confidentiality, integrity, and availability, making this a critical concern for software development and security teams worldwide.
Mitigation Recommendations
1. Avoid running cdxgen against untrusted or external codebases unless in a fully isolated and sandboxed environment. 2. Run cdxgen with the least privileges necessary, never with administrative or root privileges. 3. Implement strict access controls and codebase validation before scanning to ensure only trusted code is processed. 4. Use containerization or virtual machines to isolate the scanning process from critical infrastructure. 5. Monitor build-related files such as build.gradle.kts for unexpected or suspicious modifications. 6. Follow updates from CycloneDX maintainers for patches or design changes addressing this limitation. 7. Integrate additional security checks in CI/CD pipelines to detect anomalous behavior during dependency scanning. 8. Educate developers and security teams about the risks of processing untrusted code with tools that execute build scripts.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2024-10-27T00:00:00.000Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6b9ab7ef31ef0b557220
Added to database: 2/25/2026, 9:37:30 PM
Last enriched: 2/26/2026, 1:00:17 AM
Last updated: 2/26/2026, 9:17:03 AM
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-28138: Deserialization of Untrusted Data in Stylemix uListing
HighCVE-2026-28136: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in VeronaLabs WP SMS
HighCVE-2026-28132: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in villatheme WooCommerce Photo Reviews
HighCVE-2026-28131: Insertion of Sensitive Information Into Sent Data in WPVibes Elementor Addon Elements
HighCVE-2026-28083: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in UX-themes Flatsome
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.