Command injection in cocoapods-downloader

GHSA-g397-v4w5-4m79 · CVE-2022-21223

Published Apr 2, 2022 · Modified Mar 13, 2026

Description

The package cocoapods-downloader before 1.6.2 are vulnerable to Command Injection via hg argument injection. When calling the download function (when using hg), the url (and/or revision, tag, branch) is passed to the hg clone command in a way that additional flags can be set. The additional flags can be used to perform a command injection.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-21223
WEB https://github.com/CocoaPods/cocoapods-downloader/pull/127
PACKAGE https://github.com/CocoaPods/cocoapods-downloader
WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cocoapods-downloader/CVE-2022-21223.yml
WEB https://snyk.io/vuln/SNYK-RUBY-COCOAPODSDOWNLOADER-2414280

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes