CVE-2019-5485
Description
NPM package gitlabhook 0.0.17 is vulnerable to command injection via the repository name, allowing remote attackers to execute arbitrary commands.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
NPM package gitlabhook 0.0.17 is vulnerable to command injection via the repository name, allowing remote attackers to execute arbitrary commands.
Vulnerability
Overview
The NPM package gitlabhook version 0.0.17 is a Node.js module designed to handle GitLab webhooks. It contains a command injection vulnerability in the handling of the repository name field. The package fails to properly sanitize user-supplied input before passing it to shell execution functions, allowing an attacker to inject arbitrary operating system commands [1][2].
Exploitation
An attacker can exploit this vulnerability by sending a crafted HTTP POST request to the webhook endpoint with a malicious repository name containing shell metacharacters (e.g., backticks, semicolons, or pipes). No authentication is required if the endpoint is exposed to the internet. The injected commands are executed with the privileges of the Node.js process, typically leading to remote code execution [1].
Impact
Successful exploitation grants the attacker full remote code execution on the server hosting the gitlabhook instance. This can lead to data exfiltration, lateral movement within the network, and complete compromise of the affected system [2].
Mitigation
As of the CVE publication date, no official patch has been released for gitlabhook 0.0.17. The package appears to be unmaintained. Users are advised to avoid using this package, implement strict input validation and sanitization for the repository name field, or migrate to an alternative solution [2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gitlabhooknpm | <= 0.0.17 | — |
Affected products
2- gitlabhook/gitlabhookdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
4- github.com/advisories/GHSA-549f-73hh-mj38ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-5485ghsaADVISORY
- packetstormsecurity.com/files/154598/NPMJS-gitlabhook-0.0.17-Remote-Command-Execution.htmlghsax_refsource_MISCWEB
- hackerone.com/reports/685447ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.