Skip to content

Arbitrary Command Injection due to Improper Command Sanitization

Moderate severity GitHub Reviewed Published Jul 27, 2021 in npm/git • Updated Jan 9, 2023

Package

npm @npmcli/git (npm)

Affected versions

< 2.0.8

Patched versions

2.0.8

Description

Summary

There exists a command injection vulnerability in npmcli/git versions <2.0.8 which may result in arbitrary shell command execution due to improper argument sanitization when npmcli/git is used to execute Git commands based on user controlled input.

The impact of this issue is possible Arbitrary Command Injection when npmcli/git is run with untrusted (user controlled) Git command arguments.

Impact

Arbitrary Command Injection

Details

npmcli/git prior to release 2.0.8 passed user controlled input as arguments to a shell command without properly sanitizing this input. Passing unsanitized input to a shell can lead to arbitrary command injection. For example passing git+https://github.com/npm/git; echo hello world would trigger the shell execution of echo hello world.

This issue was remediated by no longer running npmcli/git git commands through an intermediate shell.

Patches

This issue has been patched in release 2.0.8

Acknowledgements

This report was reported to us by @tyage (Ierae Security) through the GitHub Bug Bounty Program.

References

@rzhade3 rzhade3 published to npm/git Jul 27, 2021
Reviewed Aug 2, 2021
Published to the GitHub Advisory Database Aug 5, 2021
Last updated Jan 9, 2023

Severity

Moderate

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-hxwm-x553-x359

Source code

No known source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.