VYPR
← All advisories
High severityNVD Advisory· Published Nov 13, 2020· Updated Aug 4, 2024

Remote code execution in dependabot-core

CVE-2020-26222

Description

Dependabot-Core before 0.125.1 contains a remote code execution flaw via malicious branch names that inject bash commands, allowing outbound HTTP requests to attacker-controlled hosts.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Dependabot-Core before 0.125.1 contains a remote code execution flaw via malicious branch names that inject bash commands, allowing outbound HTTP requests to attacker-controlled hosts.

Vulnerability

Overview

CVE-2020-26222 is a remote code execution (RCE) vulnerability in Dependabot-Core, the library underlying the GitHub Dependabot automated dependency update service. The flaw affects the dependabot-common and dependabot-go_modules packages from version 0.119.0.beta1 up to (but not including) 0.125.1. The root cause is that source branch names are not sanitized before being passed to shell operations. When Dependabot clones a repository using a branch name containing malicious bash code, that code is executed. For example, a branch name like /$({curl,127.0.0.1}) causes Dependabot to make an HTTP request to 127.0.0.1 [2].

Exploitation

An attacker can exploit this vulnerability by convincing a user to configure Dependabot with a source repository that has a crafted branch name. The attack requires no authentication beyond the ability to influence the branch name used by Dependabot. The injection occurs because the branch name is interpolated into a shell command without proper escaping, allowing arbitrary bash commands to be executed [1].

Impact

Successful exploitation allows an attacker to execute arbitrary commands on the machine running Dependabot. In the example given, this results in an outbound HTTP request to an IP of the attacker's choice, which could be used for data exfiltration, further network reconnaissance, or as a stepping stone for more severe compromise. The impact is limited by the privileges of the Dependabot process [2].

Mitigation

The vulnerability is patched in Dependabot-Core version 0.125.1 [3][4]. Users should upgrade immediately. For those unable to upgrade, a workaround is to manually escape or sanitize branch names before passing them to the Dependabot::Source class [2].

References
  1. GitHub - dependabot/dependabot-core: 🤖 Dependabot's core logic for creating update PRs.
  2. NVD - CVE-2020-26222
  3. v0.125.1 by feelepxyz · Pull Request #2727 · dependabot/dependabot-core
  4. Merge pull request #2727 from dependabot/v0.125.1-release-notes · dependabot/dependabot-core@e089116

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
dependabot-omnibusRubyGems
>= 0.119.0.beta1, < 0.125.10.125.1
dependabot-commonRubyGems
>= 0.119.0.beta1, < 0.125.10.125.1

Affected products

3

Patches

1
e089116abbe2

Merge pull request #2727 from dependabot/v0.125.1-release-notes

https://github.com/dependabot/dependabot-corePhilip HarrisonNov 5, 2020via ghsa
commit
2 files changed · +5 1
  • CHANGELOG.md+4 0 modified
    @@ -1,3 +1,7 @@
+## v0.125.1, 5 November 2020
+
+- Escape `SharedHelpers.run_shell_command` with shellwords
+
 ## v0.125.0, 5 November 2020
 
 - Bundler: Explain why security update was not possible
  • common/lib/dependabot/version.rb+1 1 modified
    @@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Dependabot
-  VERSION = "0.125.0"
+  VERSION = "0.125.1"
 end

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.