CVE-2025-57285 is a command injection vulnerability identified in version 3.7.3 of codeceptjs, a popular end-to-end testing framework for Node.js applications. The vulnerability exists in the emptyFolder function located in the lib/utils.js file. Specifically, the function uses the execSync command to delete or empty a directory, but it directly concatenates the user-controlled directoryPath parameter into the command string without any sanitization or escaping. This unsafe handling of input allows an attacker who can influence the directoryPath parameter to inject arbitrary shell commands. When the vulnerable function executes, these injected commands run with the same privileges as the Node.js process, potentially leading to full system compromise. Since execSync is synchronous and blocks the event loop, exploitation can also cause denial of service. The vulnerability does not require authentication if the attacker can supply the directoryPath parameter, which may be possible in scenarios where user input is passed to this function or through indirect means such as manipulating test scripts or CI/CD pipelines that use codeceptjs. No known exploits are currently reported in the wild, and no patches or fixes have been linked yet. The lack of a CVSS score suggests this is a newly disclosed vulnerability, and its severity must be assessed based on technical impact and exploitability factors.

For European organizations, the impact of CVE-2025-57285 can be significant, especially for those relying on codeceptjs in their software development lifecycle, continuous integration, and automated testing environments. Successful exploitation could allow attackers to execute arbitrary commands on build servers, developer machines, or test environments, potentially leading to unauthorized access to sensitive data, lateral movement within internal networks, or disruption of development workflows. This could result in intellectual property theft, exposure of confidential information, or sabotage of software releases. Since many European companies adopt DevOps practices and automated testing, the vulnerability could affect a broad range of sectors including finance, healthcare, manufacturing, and government agencies. The risk is heightened if the vulnerable function is exposed to untrusted inputs or if attackers gain access to developer environments. Additionally, exploitation could undermine trust in software supply chains and delay critical software deployments, impacting business continuity and compliance with regulations such as GDPR.

To mitigate this vulnerability, European organizations should immediately audit their use of codeceptjs 3.7.3 or similar versions to identify any invocation of the emptyFolder function or other functions that execute shell commands with user-controlled input. Until an official patch is released, organizations should avoid passing unsanitized or user-controlled directory paths to this function. Implement strict input validation and sanitization to ensure directoryPath parameters do not contain shell metacharacters or command separators. Consider replacing execSync calls with safer alternatives such as Node.js native file system APIs (e.g., fs.rm or fs.rmdir) that do not invoke shell commands. Restrict permissions of CI/CD and build environments to minimize the impact of potential command execution. Monitor logs for suspicious command execution patterns and anomalous activity in developer and test environments. Finally, stay updated with vendor advisories and apply patches promptly once available.