ghsa-vh25-5764-9wcr
Vulnerability from github
Published
2025-09-22 18:01
Modified
2025-09-22 21:59
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:H
Summary
@conventional-changelog/git-client has Argument Injection vulnerability
Details

Background on exploitation

This vulnerability manifests with the library's getTags() API, which allows specifying extra parameters passed to the git log command. In another API by this library - getRawCommits() there are secure practices taken to ensure that the extra parameter path is unable to inject an argument by ending the git log command with the special shell syntax --. However, the library does not follow the same practice for getTags() not attempts to sanitize for user input, validate the given params, or restrcit them to an allow list. Nor does it properly pass command-line flags to the git binary using the double-dash POSIX characters (--) to communicate the end of options.

Thus, allowing users to exploit an argument injection vulnerability in Git due to the --output= command-line option that results with overwriting arbitrary files.

Exploit

  1. Install @conventional-changelog/git-client@1.0.1 or earlier
  2. Prepare a Git directory to be used as source
  3. Create the following script for the proof-of-concept:

```js import { GitClient, } from "@conventional-changelog/git-client";

async function main() { const gitDirectory = "/tmp/some-git-directory"; const client = new GitClient(gitDirectory);

const params = ["--output=/tmp/r2d2"]; for await (const tag of client.getTags(params)) { console.log(tag); } }

main(); ```

  1. Observe new file created on disk at /tmp/r2d2

Impact

While the scope is only limited to writing a file with input from the git log result, it still allows to specify and overwrite any arbitrary files on disk, such as .env or as far as critical system configuration at /etc if the application is running as privileged root user.

It may be the library's design choice to expose a generic params object to allow any consuming users to specify random Git command line arguments, however it could be abused by attackers when developers aren't aware of the security risks which aren't communicated. As such, I recommend not ignoring, and either patching this insecure design gap with hardened secure coding practices (like in other APIs mentioned previously) or adding a security disclaimer to this library's documentation.

Author / Credit

Liran Tal

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@conventional-changelog/git-client"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-59433"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-88"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-22T18:01:01Z",
    "nvd_published_at": "2025-09-22T20:15:38Z",
    "severity": "MODERATE"
  },
  "details": "## Background on exploitation\n\nThis vulnerability manifests with the library\u0027s `getTags()` API,\nwhich allows specifying extra parameters passed to the `git log` command. In another API by this library - `getRawCommits()` there are secure practices taken to ensure that the extra parameter `path` is unable to inject an argument by ending the `git log` command with the special shell syntax `--`.\nHowever, the library does not follow the same practice for `getTags()` not attempts to sanitize for user input, validate the given params, or restrcit them to an allow list. Nor does it properly pass command-line flags to the `git` binary using the double-dash POSIX characters (`--`) to communicate the end of options.\n\nThus, allowing users to exploit an argument injection vulnerability in Git due to the\n`--output=` command-line option that results with overwriting arbitrary files.\n\n## Exploit\n\n1. Install `@conventional-changelog/git-client@1.0.1` or earlier\n2. Prepare a Git directory to be used as source\n3. Create the following script for the proof-of-concept:\n\n```js\nimport {\n  GitClient,\n} from \"@conventional-changelog/git-client\";\n\nasync function main() {\n  const gitDirectory = \"/tmp/some-git-directory\";\n  const client = new GitClient(gitDirectory);\n\n  const params = [\"--output=/tmp/r2d2\"];\n  for await (const tag of client.getTags(params)) {\n    console.log(tag);\n  }\n}\n\nmain();\n```\n\n3. Observe new file created on disk at `/tmp/r2d2`\n\n## Impact\n\nWhile the scope is only limited to writing a file with input from the git log result, it still allows to specify and overwrite any arbitrary files on disk, such as `.env` or as far as critical system configuration at `/etc` if the application is running as privileged `root` user.\n\nIt may be the library\u0027s design choice to expose a generic `params` object to allow any consuming users to specify random Git command line arguments, however it could be abused by attackers when developers aren\u0027t aware of the security risks which aren\u0027t communicated. As such, I recommend not ignoring, and either patching this insecure design gap with hardened secure coding practices (like in other APIs mentioned previously) or adding a security disclaimer to this library\u0027s documentation.\n\n# Author / Credit\n\nLiran Tal",
  "id": "GHSA-vh25-5764-9wcr",
  "modified": "2025-09-22T21:59:10Z",
  "published": "2025-09-22T18:01:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/conventional-changelog/conventional-changelog/security/advisories/GHSA-vh25-5764-9wcr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59433"
    },
    {
      "type": "WEB",
      "url": "https://github.com/conventional-changelog/conventional-changelog/commit/d95c9ffac05af58228bd89fa0ba37ad65741c6a2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/conventional-changelog/conventional-changelog"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@conventional-changelog/git-client has Argument Injection vulnerability"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.