@cyclonedx/cdxgen command injection via Maven project directory names

A command injection vulnerability in cdxgen before version 12.4.3 allowed shell metacharacters in Maven project directory names to be interpreted by the shell, enabling arbitrary command execution. The issue is patched in version 12.4.3.

Users of cdxgen versions before 12.4.3 who scan untrusted Maven repositories, especially those running server mode with POST /sbom endpoint exposed.

Upgrade to cdxgen version 12.4.3 or later. If immediate upgrade is not possible, apply workarounds: do not expose server mode to untrusted networks, avoid scanning untrusted Java/Maven repositories, run cdxgen in a sandboxed environment, and configure allowlists (CDXGEN_SERVER_ALLOWED_HOSTS, CDXGEN_GIT_ALLOWED_HOSTS, CDXGEN_ALLOWED_COMMANDS, CDXGEN_SECURE_MODE=true).