CVE-2019-10803

The vulnerability in push-dir through version 0.4.1 is a command injection flaw. The opt.branch variable, which is used to specify the target branch for pushing directory contents, is passed directly to the git command at line 139 of index.js without any validation or sanitization [1][3]. This allows an attacker to inject arbitrary shell commands by crafting a malicious branch string.

Exploitation requires only the ability to control the branch option passed to the push-dir function. For example, setting opt.branch to "& echo vulnerable > create.txt &" will execute the injected command before the intended git operation [2]. No authentication or special network position is needed; the vulnerability can be triggered locally or in any environment where untrusted input is passed to push-dir.

Successful exploitation enables an attacker to execute arbitrary commands with the privileges of the process running push-dir, potentially leading to full system compromise, data exfiltration, or further lateral movement [1][2]. As of the time of disclosure, no patched version of push-dir has been released, and users are advised to avoid passing untrusted input to the branch parameter or to replace the package with a maintained alternative [2].