Snyk was notified by Imperva of a vulnerability (CVE-2022-40764) affecting the Snyk CLI and IDE plugins. Snyk took immediate action to reproduce and mitigate this vulnerability, and on September 1, 2022 Snyk released CLI v1.996.0 to address the discovered vulnerability.
To be exposed to this vulnerability, a developer would have to execute a snyk test command on untrusted files, or load untrusted files in their IDE.
This vulnerability affected users of the Snyk CLI and the Snyk IDE plugins. By default, Snyk IDE plugin users were automatically updated within 4 days of the release of the updated Snyk CLI v1.996.0 on Sep 1st 2022. Users who have deactivated automatic updates should update the CLI version to the latest version by enabling updates in the preferences (see below).
Update your Snyk CLI to version 1.996.0 or higher.
npm i -g email@example.com
npm i -g snyk@latest
You can check which version of the Snyk CLI you have installed by running
Snyk IDE Plugins
You can check which instance of the Snyk CLI your IDE is using and toggle updates in the preferences. See our instructions for Jetbrains, VSCode, Eclipse, and Visual Studio or the Snyk Language Server for those utilizing it directly.
If your copy of the IDE plugin does not have these settings, upgrade to the latest version of the plugin.
Snyk CI/CD Plugins
By default most CI/CD plugins update automatically, either in their entirety or the version of the CLI they use. The primary exception to this is the Snyk TeamCity plugin. A new version of this has been released. Please update the Snyk TeamCity plugin to version v20220930.142957 or newer.
If the default of automatic updates has been changed, we recommend to either switch the configuration back to automatic CLI updates or update manually to a Snyk CLI with version 1.996.0 or higher.
- Artifactory: Our Artifactory plugin does not use the CLI and is not affected.
- Nexus: Our nexus plugin does not use the CLI and is not affected.
- CircleCI: The Snyk Orb checks and updates the CLI automatically on scan.
- Snyk Maven Plugin: Automatically updates the CLI and will use the fixed version unless it has been manually configured to not update, or a custom CLI instance has been specified. Details for how to check your configuration here.
- Jenkins: The Snyk Security Scanner automatically updates the CLI unless deactivated. Details for how to check your configuration here.
- Azure Pipelines: Automatically uses the latest CLI.