CVE-2019-10776
Description
Command injection in git-diff-apply prior to 0.22.2 allows arbitrary command execution via a crafted remoteUrl.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Command injection in git-diff-apply prior to 0.22.2 allows arbitrary command execution via a crafted remoteUrl.
The vulnerability exists in the git-diff-apply npm package, specifically in the index.js file at line 240. The run command executes a git clone operation by constructing a command string that includes a user-controlled variable called remoteUrl. This constitutes a classic command injection flaw, as the remoteUrl is passed directly into a shell command without proper sanitization or escaping [1][2].
An attacker can exploit this by providing a specially crafted remoteUrl string containing shell metacharacters, such as & or ;, to inject arbitrary commands. The proof-of-concept (PoC) provided by JHU System Security Lab demonstrates injection with "&touch Song&", which would cause the touch command to execute on the system [2]. The attack does not require authentication if the application accepts user-supplied remote URLs.
Successful exploitation allows an attacker to execute arbitrary operating system commands with the privileges of the Node.js process. This could lead to full system compromise, data exfiltration, or further lateral movement within the environment. The impact is critical because git-diff-apply is often used in development or CI/CD pipelines where elevated privileges may be available.
A fix has been implemented in version 0.22.2. The patch replaces the vulnerable utils.run (which uses a shell) with runWithSpawn, which passes arguments as an array to spawn, thereby avoiding shell interpretation of the remoteUrl [3]. All users are strongly advised to upgrade to version 0.22.2 or later. No workarounds are documented, and the vulnerability is not yet listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
git-diff-applynpm | < 0.22.2 | 0.22.2 |
Affected products
2- git-diff-apply/git-diff-applydescription
Patches
1106d61d3ae72spawn git clone
1 file changed · +2 −1
src/index.js+2 −1 modified@@ -18,6 +18,7 @@ const resolveConflicts = require('./resolve-conflicts'); const commitAndTag = require('./commit-and-tag'); const gitRemoveAll = require('./git-remove-all'); const createCustomRemote = require('./create-custom-remote'); +const { runWithSpawn } = require('./run'); const { isGitClean } = gitStatus; const { gitConfigInit } = gitInit; @@ -222,7 +223,7 @@ module.exports = async function gitDiffApply({ _tmpDir = await tmpDir(); tmpWorkingDir = _tmpDir; - await utils.run(`git clone ${remoteUrl} ${_tmpDir}`); + await runWithSpawn('git', ['clone', remoteUrl, _tmpDir]); // needed because we are going to be committing in here await gitConfigInit({ cwd: _tmpDir });
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-84cm-v6jp-gjmrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10776ghsaADVISORY
- github.com/kellyselden/git-diff-apply/commit/106d61d3ae723b4257c2a13e67b95eb40a27e0b5ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-GITDIFFAPPLY-540774ghsaWEB
- snyk.io/vuln/SNYK-JS-GITDIFFAPPLY-540774%2Cmitrex_refsource_CONFIRM
- snyk.io/vuln/SNYK-JS-GITDIFFAPPLY-540774,ghsaWEB
News mentions
0No linked articles in our index yet.