Arbitrary Command Injection due to Improper Command Sanitization

@tyage

Summary

There exists a command injection vulnerability in npmcli/git versions <2.0.8 which may result in arbitrary shell command execution due to improper argument sanitization when npmcli/git is used to execute Git commands based on user controlled input.

The impact of this issue is possible Arbitrary Command Injection when npmcli/git is run with untrusted (user controlled) Git command arguments.

Impact

Arbitrary Command Injection

Details

npmcli/git prior to release 2.0.8 passed user controlled input as arguments to a shell command without properly sanitizing this input. Passing unsanitized input to a shell can lead to arbitrary command injection. For example passing git+https://github.com/npm/git; echo hello world would trigger the shell execution of echo hello world.

This issue was remediated by no longer running npmcli/git git commands through an intermediate shell.

Patches

This issue has been patched in release 2.0.8

Acknowledgements

This report was reported to us by @tyage (Ierae Security) through the GitHub Bug Bounty Program.

References

rzhade3 published to npm/git Jul 27, 2021

Reviewed Aug 2, 2021

Published to the GitHub Advisory Database Aug 5, 2021

Last updated Jan 9, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

Summary

Impact

Details

Patches

Acknowledgements

References

Severity

EPSS score

Weaknesses

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVE ID

GHSA ID

Source code

Credits

Uh oh!