Command Injection in async-git
Critical severity
GitHub Reviewed
Published
Apr 12, 2021
to the GitHub Advisory Database
•
Updated Sep 7, 2023
Description
Published by the National Vulnerability Database
Feb 18, 2021
Reviewed
Mar 18, 2021
Published to the GitHub Advisory Database
Apr 12, 2021
Last updated
Sep 7, 2023
The package async-git before 1.13.2 are vulnerable to Command Injection via shell meta-characters (back-ticks). For example:
git.reset('atouch HACKEDb')
References