fkie_cve-2025-59831
Vulnerability from fkie_nvd
Published
2025-09-25 14:15
Modified
2025-10-16 15:45
Severity ?
Summary
git-commiters is a Node.js function module providing committers stats for their git repository. Prior to version 0.1.2, there is a command injection vulnerability in git-commiters. This vulnerability manifests with the library's primary exported API: gitCommiters(options, callback) which allows specifying options such as cwd for current working directory and revisionRange as a revision pointer, such as HEAD. However, the library does not sanitize for user input or practice secure process execution API to separate commands from their arguments and as such, uncontrolled user input is concatenated into command execution. This issue has been patched in version 0.1.2.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
riceball | git-commiters | * |
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:riceball:git-commiters:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "F8CEB3AF-3A38-40D7-94A8-27813EBE7A2C", "versionEndExcluding": "0.1.2", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "git-commiters is a Node.js function module providing committers stats for their git repository. Prior to version 0.1.2, there is a command injection vulnerability in git-commiters. This vulnerability manifests with the library\u0027s primary exported API: gitCommiters(options, callback) which allows specifying options such as cwd for current working directory and revisionRange as a revision pointer, such as HEAD. However, the library does not sanitize for user input or practice secure process execution API to separate commands from their arguments and as such, uncontrolled user input is concatenated into command execution. This issue has been patched in version 0.1.2." } ], "id": "CVE-2025-59831", "lastModified": "2025-10-16T15:45:42.370", "metrics": { "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1" }, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary" } ], "cvssMetricV40": [ { "cvssData": { "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED" }, "source": "security-advisories@github.com", "type": "Secondary" } ] }, "published": "2025-09-25T14:15:46.147", "references": [ { "source": "security-advisories@github.com", "tags": [ "Patch" ], "url": "https://github.com/snowyu/git-commiters.js/commit/7f0abfedbf506e3a61ac875d91324a8dbe756e84" }, { "source": "security-advisories@github.com", "tags": [ "Exploit", "Vendor Advisory" ], "url": "https://github.com/snowyu/git-commiters.js/security/advisories/GHSA-g38c-wxjf-xrh6" }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": [ "Exploit", "Vendor Advisory" ], "url": "https://github.com/snowyu/git-commiters.js/security/advisories/GHSA-g38c-wxjf-xrh6" } ], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-77" }, { "lang": "en", "value": "CWE-78" } ], "source": "security-advisories@github.com", "type": "Secondary" }, { "description": [ { "lang": "en", "value": "CWE-77" } ], "source": "nvd@nist.gov", "type": "Primary" } ] }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…