GHSA-4WCM-7HJF-6XW5

Vulnerability from github – Published: 2025-09-10 21:37 – Updated: 2025-09-10 21:37
VLAI?
Summary
interactive-git-checkout has a Command Injection vulnerability
Details

The npm package interactive-git-checkout is an interactive command-line tool that allows users to checkout a git branch while it prompts for the branch name on the command-line. It is available as an npm package and can be installed via npm install -g interactive-git-checkout.

Resources: * Project's npm package: https://www.npmjs.com/package/interactive-git-checkout

Command Injection Vulnerability

The interactive-git-checkout tool is vulnerable to a command injection vulnerability because it passes the branch name to the git checkout command using the Node.js child process module's exec() function without proper input validation or sanitization.

The following vulnerable code snippets demonstrates the issue:

const { exec: execCb } = require('child_process');
const { promisify } = require('util');

const exec = promisify(execCb);

module.exports = async (targetBranch) => {
    const { stdout, stderr } = await exec(`git checkout ${targetBranch}`);
    process.stderr.write(stderr);
    process.stdout.write(stdout);
};

Exploit Proof of Concept

  1. Install the interactive-git-checkout package (as suggested by the package's README):
npm install --global interactive-git-checkout
  1. Run the executable exposed by the installed package:
$ igc
  1. When prompted, enter the following branch name:
hello ; echo 'Command Injection Vulnerability Exploited!' > /tmp/command-injection.txt; #

Vulnerable versions

All versions of interactive-git-checkout are vulnerable to this issue, up to and including to the latest version of 1.1.4.

Author

Liran Tal

Severity ?
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "interactive-git-checkout"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-59046"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-10T21:37:00Z",
    "nvd_published_at": "2025-09-09T23:15:37Z",
    "severity": "CRITICAL"
  },
  "details": "The npm package `interactive-git-checkout` is an interactive command-line tool that allows users to checkout a git branch while it prompts for the branch name on the command-line. It is available as an npm package and can be installed via `npm install -g interactive-git-checkout`.\n\nResources: \n * Project\u0027s npm package: https://www.npmjs.com/package/interactive-git-checkout\n \n## Command Injection Vulnerability\n\nThe `interactive-git-checkout` tool is vulnerable to a command injection vulnerability because it passes the branch name to the `git checkout` command using the Node.js child process module\u0027s `exec()` function without proper input validation or sanitization.\n\nThe following vulnerable code snippets demonstrates the issue:\n\n```js\nconst { exec: execCb } = require(\u0027child_process\u0027);\nconst { promisify } = require(\u0027util\u0027);\n\nconst exec = promisify(execCb);\n\nmodule.exports = async (targetBranch) =\u003e {\n    const { stdout, stderr } = await exec(`git checkout ${targetBranch}`);\n    process.stderr.write(stderr);\n    process.stdout.write(stdout);\n};\n```\n\n## Exploit Proof of Concept\n\n1. Install the `interactive-git-checkout` package (as suggested by the package\u0027s README):\n\n```bash\nnpm install --global interactive-git-checkout\n```\n\n2. Run the executable exposed by the installed package:\n\n```bash\n$ igc\n```\n\n3. When prompted, enter the following branch name:\n\n```bash\nhello ; echo \u0027Command Injection Vulnerability Exploited!\u0027 \u003e /tmp/command-injection.txt; #\n```\n\n## Vulnerable versions\n\nAll versions of interactive-git-checkout are vulnerable to this issue, up to and including to the latest version of `1.1.4`.\n\n# Author\n\nLiran Tal",
  "id": "GHSA-4wcm-7hjf-6xw5",
  "modified": "2025-09-10T21:37:00Z",
  "published": "2025-09-10T21:37:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ninofiliu/interactive-git-checkout/security/advisories/GHSA-4wcm-7hjf-6xw5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59046"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ninofiliu/interactive-git-checkout/commit/8dd832dd302af287a61611f4f85e157cd1c6bb41"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ninofiliu/interactive-git-checkout"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "interactive-git-checkout has a Command Injection vulnerability"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.