CVE-2025-66219

CRITICAL

9.8

Beschreibung

willitmerge is a command line tool to check if pull requests are mergeable. In versions 0.2.1 and prior, there is a command Injection vulnerability in willitmerge. The vulnerability manifests in this package due to the use of insecure child process execution API (exec) to which it concatenates user input, whether provided to the command-line flag, or is in user control in the target repository. At time of publication, no known fix is public.

CVE Details

CVSS v3.1 Bewertung9.8

SchweregradCRITICAL

CVSS VektorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AngriffsvektorNETWORK

KomplexitatLOW

Erforderliche PrivilegienNONE

BenutzerinteraktionNONE

Veroffentlicht11/29/2025

Zuletzt geandert12/19/2025

Quellenvd

Honeypot-Sichtungen0

Betroffene Produkte

dontkry:willitmerge

Schwachen (CWE)

CWE-77

Referenzen

https://github.com/shama/willitmerge/blob/2fe91d05191fb05ac6da685828d109a3a5885028/lib/willitmerge.js#L189-L197(security-advisories@github.com)

https://github.com/shama/willitmerge/security/advisories/GHSA-j9wj-m24m-7jj6(security-advisories@github.com)

https://github.com/shama/willitmerge/security/advisories/GHSA-j9wj-m24m-7jj6(134c704f-9b21-4f2e-91b3-4a467353bcc0)

IOC Korrelationen

Keine Korrelationen erfasst

This product uses data from the NVD API but is not endorsed or certified by the NVD.