CVE-2024-50611 is a vulnerability affecting CycloneDX cdxgen versions through 10.10.7. The vulnerability allows an attacker to execute arbitrary code when cdxgen is run against an untrusted codebase containing malicious build-related files, such as build.gradle.kts scripts. This occurs because cdxgen processes these build files in a manner that can trigger code execution, a behavior similar to the previously reported CVE-2022-24441. The root cause is identified as a design limitation rather than a coding error, meaning the tool inherently trusts and executes code from build files without sufficient isolation or sanitization. The vulnerability requires the user to run cdxgen with high privileges (PR:H) and does not require user interaction (UI:N). The attack vector is network-based (AV:N), implying that an attacker can supply a malicious codebase remotely or via a repository. The vulnerability impacts confidentiality, integrity, and availability (C:H/I:H/A:H) by enabling arbitrary code execution, potentially leading to full system compromise. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The affected tool, cdxgen, is used in software supply chain security processes, including by OWASP dep-scan, making this vulnerability relevant to organizations relying on these tools for dependency scanning and SBOM generation.

The vulnerability poses a significant risk to organizations that use CycloneDX cdxgen for software bill of materials (SBOM) generation or dependency scanning, especially when analyzing untrusted or external codebases. Successful exploitation can lead to arbitrary code execution with the privileges of the user running cdxgen, potentially resulting in full system compromise, data theft, or disruption of software supply chain processes. This can undermine the integrity of software supply chain security efforts, allowing attackers to inject malicious code or disrupt build pipelines. Organizations relying on automated scanning tools in CI/CD environments are particularly vulnerable if these tools process untrusted inputs without adequate isolation. The impact extends to confidentiality, integrity, and availability, making this a critical concern for software development and security teams worldwide.

1. Avoid running cdxgen against untrusted or external codebases unless in a fully isolated and sandboxed environment. 2. Run cdxgen with the least privileges necessary, never with administrative or root privileges. 3. Implement strict access controls and codebase validation before scanning to ensure only trusted code is processed. 4. Use containerization or virtual machines to isolate the scanning process from critical infrastructure. 5. Monitor build-related files such as build.gradle.kts for unexpected or suspicious modifications. 6. Follow updates from CycloneDX maintainers for patches or design changes addressing this limitation. 7. Integrate additional security checks in CI/CD pipelines to detect anomalous behavior during dependency scanning. 8. Educate developers and security teams about the risks of processing untrusted code with tools that execute build scripts.