cdxgen before version 12.4.3 contains a command injection vulnerability in its Maven scanning functionality. When scanning an attacker-controlled Maven project, repository-controlled paths could be injected into Maven command invocations that used shell: true on POSIX platforms. This allowed shell metacharacters in directory names to be interpreted by the shell, potentially enabling command execution within the cdxgen process. The vulnerability affects both CLI and server modes, specifically the POST /sbom endpoint in server mode. The patch in 12.4.3 mitigates this by removing unconditional shell execution, blocking shell: true invocations with unsafe arguments, and adding other hardening measures. Residual risks remain for nested paths interpreted by external build tools after cdxgen launches them, so sandboxing untrusted scans is recommended.

An attacker who controls a scanned Maven project repository can exploit this vulnerability to execute arbitrary shell commands in the context of the cdxgen process. This could lead to unauthorized code execution during scanning operations. The vulnerability affects both CLI and server modes of cdxgen. However, exploitation requires control over the scanned repository paths and the ability to trigger scans. There are no known exploits in the wild as of the published date.

A fix is available in cdxgen version 12.4.3 and later, which hardens command invocation by removing unconditional shell execution and blocking unsafe shell arguments. The recommended remediation is to upgrade to version 12.4.3 or later. If immediate upgrade is not possible, apply mitigations such as not running cdxgen server mode on untrusted networks, restricting access to the POST /sbom endpoint, avoiding scanning untrusted Maven repositories, running cdxgen in sandboxed or containerized environments, removing sensitive environment variables, using least-privilege filesystem mounts, and restricting outbound network access. Use cdxgen secure/dry-run modes and configure host and command allowlists to reduce exposure. These mitigations reduce but do not fully eliminate risk in affected versions.