← Back to CVEs
CVE-2025-66219
CRITICAL9.8
Description
willitmerge is a command line tool to check if pull requests are mergeable. In versions 0.2.1 and prior, there is a command Injection vulnerability in willitmerge. The vulnerability manifests in this package due to the use of insecure child process execution API (exec) to which it concatenates user input, whether provided to the command-line flag, or is in user control in the target repository. At time of publication, no known fix is public.
CVE Details
CVSS v3.1 Score9.8
SeverityCRITICAL
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Published11/29/2025
Last Modified12/19/2025
Sourcenvd
Honeypot Sightings0
Affected Products
dontkry:willitmerge
Weaknesses (CWE)
CWE-77
References
https://github.com/shama/willitmerge/blob/2fe91d05191fb05ac6da685828d109a3a5885028/lib/willitmerge.js#L189-L197(security-advisories@github.com)
https://github.com/shama/willitmerge/security/advisories/GHSA-j9wj-m24m-7jj6(security-advisories@github.com)
https://github.com/shama/willitmerge/security/advisories/GHSA-j9wj-m24m-7jj6(134c704f-9b21-4f2e-91b3-4a467353bcc0)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.