IonicaBizau node-gry command injection
Description
Command injection in node-gry up to 5.x allows arbitrary command execution via unsanitized git command strings.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Command injection in node-gry up to 5.x allows arbitrary command execution via unsanitized git command strings.
Vulnerability
Overview
CVE-2020-36650 is a critical command injection vulnerability in the node-gry npm package, a minimalist Node.js wrapper for Git commands. The flaw resides in the exec method, which constructs shell commands by concatenating user-controlled input directly into a string passed to child_process.exec instead of using the safer array-based argument form. This allows an attacker to inject arbitrary shell commands through parameters such as branch names, commit messages, or file paths that are passed to Git operations [1][2].
Exploitation
An attacker can exploit this vulnerability by supplying malicious input to any node-gry method that internally calls exec with unsanitized arguments. For example, the commit method concatenates the message directly into a command string ("commit -m \"" + message + "\""), enabling injection of shell metacharacters like backticks or $() to execute arbitrary commands. No authentication is required if the application exposes these inputs to untrusted users, making the attack surface broad in web applications or services that use node-gry to handle user-supplied Git operations [3][4].
Impact
Successful exploitation allows an attacker to execute arbitrary operating system commands with the privileges of the Node.js process. This can lead to full system compromise, data exfiltration, or lateral movement within the network. The vulnerability is rated critical due to the ease of exploitation and the potential for remote code execution without prior authentication [1].
Mitigation
The issue was addressed in version 6.0.0 of node-gry. The fix, identified by commit 5108446c1e23960d65e8b973f1d9486f9f9dbd6c, refactors the exec method to pass arguments as an array to child_process.spawn, preventing shell injection. Users are strongly advised to upgrade to version 6.0.0 or later. No workarounds are available for earlier versions [2][4].
- NVD - CVE-2020-36650
- huntr.dev - Command Injection Fix by huntr-helper · Pull Request #22 · IonicaBizau/node-gry
- GitHub - IonicaBizau/node-gry: :seat: A minimalist NodeJS wrapper for the `git` commands. `gry` stands for the Git RepositorY.
- fix command injection vulnerability · IonicaBizau/node-gry@5108446
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
grynpm | < 6.0.0 | 6.0.0 |
Affected products
2- Range: 5.x
Patches
15108446c1e23fix command injection vulnerability
2 files changed · +10 −17
example/index.js+1 −1 modified@@ -16,7 +16,7 @@ oneByOne([ } , cb => { console.log("> Created README.md"); - myRepo.exec("add .", cb); + myRepo.exec(['add', '.'], cb); } , cb => { console.log("> Added the files.");
lib/index.js+9 −16 modified@@ -52,29 +52,22 @@ class Gry { * @return {Gry} The `Gry` instance. */ exec (command, args, callback) { - var eargs = []; if (typeof args === "function") { callback = args; args = null; } - // Handle spawn - if (Array.isArray(args)) { - eargs.push("git", [command].concat(args)); - } else { - eargs.push("git " + command.trim()); - } - eargs.push({ cwd: this.cwd }); // Add the callback function eargs.push((err, stdout) => { if (err) { return callback(err); } callback(null, stdout.trimRight()); }); + console.log({command, eargs, callback}) - el.add.apply(el, eargs); + el.add('git', command, eargs[0], eargs[1]); return this; } @@ -88,7 +81,7 @@ class Gry { * @return {Gry} The `Gry` instance. */ init (callback) { - return this.exec("init", callback); + return this.exec(['init'], callback); } /** @@ -128,7 +121,7 @@ class Gry { callback = options; options = ""; } - return this.exec("commit -m \"" + message + "\" " + options, callback) + return this.exec(['commit', '-m', message, ...options.split(' ').filter(a => a)], callback) } /** @@ -146,7 +139,7 @@ class Gry { callback = options; options = ""; } - return this.exec("pull " + options, callback); + return this.exec(['pull', ...options.split(' ')], callback); } /** @@ -164,7 +157,7 @@ class Gry { callback = options; options = "."; } - return this.exec("add " + options, callback); + return this.exec(['add', ...options.split(' ')], callback); } /** @@ -182,7 +175,7 @@ class Gry { callback = options; options = ""; } - return this.exec("branch " + options, callback); + return this.exec(['branch', ...options.split(' ')], callback); } /** @@ -200,7 +193,7 @@ class Gry { callback = options; options = ""; } - return this.exec("checkout " + options, callback); + return this.exec(['checkout', ...options.split(' ')], callback); } /** @@ -219,7 +212,7 @@ class Gry { callback = options; options = ""; } - return this.exec("clone " + gitUrl + " " + options, callback); + return this.exec(['clone', gitUrl, ...options.split(' ')], callback); } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/IonicaBizau/node-gry/commit/5108446c1e23960d65e8b973f1d9486f9f9dbd6cghsapatchWEB
- github.com/IonicaBizau/node-gry/releases/tag/6.0.0ghsapatchWEB
- github.com/advisories/GHSA-w5mw-f2hq-5fw8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-36650ghsaADVISORY
- github.com/IonicaBizau/node-gry/pull/22ghsaissue-trackingWEB
- vuldb.comghsasignaturepermissions-requiredWEB
- vuldb.comghsavdb-entrytechnical-descriptionWEB
News mentions
0No linked articles in our index yet.