TROYANOSYVIRUS
Volver a CVEs

CVE-2025-59831

HIGH
8.8

Descripcion

git-commiters is a Node.js function module providing committers stats for their git repository. Prior to version 0.1.2, there is a command injection vulnerability in git-commiters. This vulnerability manifests with the library's primary exported API: gitCommiters(options, callback) which allows specifying options such as cwd for current working directory and revisionRange as a revision pointer, such as HEAD. However, the library does not sanitize for user input or practice secure process execution API to separate commands from their arguments and as such, uncontrolled user input is concatenated into command execution. This issue has been patched in version 0.1.2.

Detalles CVE

Puntuacion CVSS v3.18.8
SeveridadHIGH
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosNONE
Interaccion usuarioREQUIRED
Publicado9/25/2025
Ultima modificacion10/16/2025
Fuentenvd
Avistamientos honeypot0

Productos afectados

riceball:git-commiters

Debilidades (CWE)

CWE-77CWE-78CWE-77

Referencias

https://github.com/snowyu/git-commiters.js/commit/7f0abfedbf506e3a61ac875d91324a8dbe756e84(security-advisories@github.com)
https://github.com/snowyu/git-commiters.js/security/advisories/GHSA-g38c-wxjf-xrh6(security-advisories@github.com)
https://github.com/snowyu/git-commiters.js/security/advisories/GHSA-g38c-wxjf-xrh6(134c704f-9b21-4f2e-91b3-4a467353bcc0)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.