CVE-2020-28490

CRITICAL9.8EPSS 6.9%

Command Injection in async-git

Published: 4/12/2021Modified: 3/13/2026

Description

The package async-git before 1.13.2 are vulnerable to Command Injection via shell meta-characters (back-ticks). For example: `git.reset('atouch HACKEDb')`

Affected packages (1)

npm/async-gitfrom 0, < 1.13.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-28490
WEBhttps://github.com/omrilotan/async-git/commit/d1950a5021f4e19d92f347614be0d85ce991510d
WEBhttps://github.com/omrilotan/async-git/pull/14
WEBhttps://snyk.io/vuln/SNYK-JS-ASYNCGIT-1064877
WEBhttps://www.npmjs.com/package/async-git