CVE-2024-21532: ggit is vulnerable to Command Injection via the fetchTags(branch) API

October 8, 2024

All versions of the package ggit are vulnerable to Command Injection via the fetchTags(branch) API, which allows user input to specify the branch to be fetched and then concatenates this string along with a git command which is then passed to the unsafe exec() Node.js child process API.

References

gist.github.com/lirantal/d8f87b366d2078e6118ab7bf2b005f02
github.com/advisories/GHSA-62cx-5xj4-wfm4
github.com/bahmutov/ggit
nvd.nist.gov/vuln/detail/CVE-2024-21532
security.snyk.io/vuln/SNYK-JS-GGIT-5731320

Code Behaviors & Features

Detect and mitigate CVE-2024-21532 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →