CVE-2021-28955: Arbitrary code execution due to an uncontrolled search path for the git binary

May 25, 2021 (updated May 19, 2025)

The go language recently addressed a security issue in the way that binaries are found before being executed. Some operating systems like Windows persist to have the current directory being part of the default search path, and having priority over the system-wide path.

This means that it’s possible for a malicious user to craft for example a git.bat command, commit it and push it in a repository. Later when git-bug search for the git binary, this malicious executable can take priority and be executed.

References

github.com/MichaelMure/git-bug/pull/604
github.com/advisories/GHSA-m898-h4pm-pqfr
github.com/git-bug/git-bug
github.com/git-bug/git-bug/security/advisories/GHSA-m898-h4pm-pqfr
nvd.nist.gov/vuln/detail/CVE-2021-28955
vuln.ryotak.me/advisories/18

Code Behaviors & Features

Detect and mitigate CVE-2021-28955 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →