CVE-2020-7619

The get-git-data npm package, up to version 1.3.1, is vulnerable to command injection due to insufficient sanitization of the limit argument. This argument is passed to shell commands without proper escaping, allowing attackers to inject arbitrary OS commands [1][3].

An attacker can exploit this by providing a crafted string as an argument to functions like log(). For example, "& touch Song" results in execution of the touch command [1]. No authentication is required if the application exposes user-controlled input to these functions.

Successful exploitation allows arbitrary command execution with the privileges of the Node.js process, potentially leading to data exfiltration, system compromise, or lateral movement within the environment [2].

As of the advisory date, no fixed version is available for get-git-data. Users should avoid using the package or ensure user input is never passed to vulnerable functions, as the package appears unmaintained [1].