CVE-2019-10802

Vulnerability

Type CVE-2019-10802 describes a command injection vulnerability in the giting package (a Git server library) for versions prior to 0.0.8. The root cause is that the pull() function executes a shell command without sanitizing the repo.branch property, allowing an attacker to inject arbitrary commands by crafting a malicious repo object [1][2].

Exploit

Scenario An attacker can supply a repo object with a branch field containing shell metacharacters (e.g., a semicolon followed by a malicious command). Calling test.pull(repo) with such input causes the injected command to be executed by the child process spawned for the Git operation [1][2]. The attacker does not require authentication if they can control the input to the pull() function, which may be possible if the application exposes user-provided repository details.

Impact

Successful exploitation allows an attacker to execute arbitrary operating system commands with the privileges of the Node.js process. This can lead to full compromise of the server, data exfiltration, or further lateral movement within the network [1][2]. The proof-of-concept from JHU System Security Lab demonstrates simple file creation as evidence of command execution [1].

Mitigation

The vulnerability is fixed in giting version 0.0.8. Users should upgrade to 0.0.8 or later, as the commit 9be41081f547d3dcef25e7d7c957bc2a3be2dfe0 applies encodeURIComponent() to the repo.branch value before passing it to the shell command, preventing injection [1][3]. No workaround is documented; upgrading is the recommended remediation.