Advisories for Npm/Repomix package

2026

repomix: attach_packed_output can bypass file-read secret scanning for supported local files

Repomix's MCP server exposes a normal file_system_read_file tool that reads absolute paths only after running the project's secret check. However, the attach_packed_output plus read_repomix_output flow can read arbitrary local .json, .txt, .md, or .xml files without the same safety check and without verifying that the file is actually a Repomix packed output. This is a medium-severity local MCP file-read boundary issue. The affected deployment is the documented repomix –mcp stdio …

repomix Vulnerable to Command Injection (RCE) via `--remote-branch` Argument Injection

The –remote-branch CLI option in repomix is vulnerable to argument injection. User-supplied input is passed directly to git fetch and git checkout subprocesses via child_process.execFileAsync without sanitization, – delimiters, or validation. An attacker can inject arbitrary git command-line options. By injecting the –upload-pack option and specifying an SSH (git@…) or local (file://) remote URL, an attacker achieves arbitrary command execution with the privileges of the user running repomix. This bypasses …