CVE-2025-59046: interactive-git-checkout has a Command Injection vulnerability
The npm package interactive-git-checkout is an interactive command-line tool that allows users to checkout a git branch while it prompts for the branch name on the command-line. It is available as an npm package and can be installed via npm install -g interactive-git-checkout.
Resources:
- Project’s npm package: https://www.npmjs.com/package/interactive-git-checkout
References
- github.com/advisories/GHSA-4wcm-7hjf-6xw5
- github.com/ninofiliu/interactive-git-checkout
- github.com/ninofiliu/interactive-git-checkout/commit/8dd832dd302af287a61611f4f85e157cd1c6bb41
- github.com/ninofiliu/interactive-git-checkout/security/advisories/GHSA-4wcm-7hjf-6xw5
- nvd.nist.gov/vuln/detail/CVE-2025-59046
Code Behaviors & Features
Detect and mitigate CVE-2025-59046 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →