← Voltar para CVEs
CVE-2025-66219
CRITICAL9.8
Descricao
willitmerge is a command line tool to check if pull requests are mergeable. In versions 0.2.1 and prior, there is a command Injection vulnerability in willitmerge. The vulnerability manifests in this package due to the use of insecure child process execution API (exec) to which it concatenates user input, whether provided to the command-line flag, or is in user control in the target repository. At time of publication, no known fix is public.
Detalhes CVE
Pontuacao CVSS v3.19.8
SeveridadeCRITICAL
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosNONE
Interacao do usuarioNONE
Publicado11/29/2025
Ultima modificacao12/19/2025
Fontenvd
Avistamentos honeypot0
Produtos afetados
dontkry:willitmerge
Fraquezas (CWE)
CWE-77
Referencias
https://github.com/shama/willitmerge/blob/2fe91d05191fb05ac6da685828d109a3a5885028/lib/willitmerge.js#L189-L197(security-advisories@github.com)
https://github.com/shama/willitmerge/security/advisories/GHSA-j9wj-m24m-7jj6(security-advisories@github.com)
https://github.com/shama/willitmerge/security/advisories/GHSA-j9wj-m24m-7jj6(134c704f-9b21-4f2e-91b3-4a467353bcc0)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.