CVE-2021-23326 — Command Injection in @graphql-tools/git-loader

Description

This affects the package @graphql-tools/git-loader before 6.2.6. The use of exec and execSync in packages/loaders/git/src/load-git.ts allows arbitrary command injection.

How to fix CVE-2021-23326

To remediate CVE-2021-23326, upgrade the affected package to a fixed version below.

npm/@graphql-tools/git-loader—upgrade to 6.2.6 or later

Is CVE-2021-23326 being exploited?

Low — EPSS is 1.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 6.2.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-23326
WEBadvisory.checkmarx.net/advisory/CX-2020-4300
WEBgithub.com/ardatan/graphql-tools/commit/6a966beee8ca8b2f4adfe93318b96e4a5c501eac
WEBgithub.com/ardatan/graphql-tools/pull/2470