WS-2021-0245
Published:May 14, 2026
Updated:May 14, 2026
Summary There exists a command injection vulnerability in "npmcli/git" versions <2.0.8 which may result in arbitrary shell command execution due to improper argument sanitization when "npmcli/git" is used to execute Git commands based on user controlled input. The impact of this issue is possible Arbitrary Command Injection when "npmcli/git" is run with untrusted (user controlled) Git command arguments. Impact Arbitrary Command Injection Details "npmcli/git" prior to release "2.0.8" passed user controlled input as arguments to a shell command without properly sanitizing this input. Passing unsanitized input to a shell can lead to arbitrary command injection. For example passing "git+https://github.com/npm/git; echo hello world" would trigger the shell execution of "echo hello world". This issue was remediated by no longer running "npmcli/git" git commands through an intermediate shell. Patches This issue has been patched in release "2.0.8" Acknowledgements This report was reported to us by @tyage (Ierae Security) through the "GitHub Bug Bounty Program" (https://bounty.github.com).
Related Resources (3)
Do you need more information?
Contact UsCVSS v4
Base Score:
9.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
9.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')