CVE-2020-7630
Description
git-add-remote through 1.0.0 is vulnerable to command injection via the name argument, enabling arbitrary command execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
git-add-remote through 1.0.0 is vulnerable to command injection via the name argument, enabling arbitrary command execution.
The git-add-remote npm package (versions prior to and including 1.0.0) contains a command injection vulnerability in the name argument. The package fails to sanitize user input before passing it to a command execution function, allowing an attacker to inject arbitrary shell commands [1][2].
Exploitation is straightforward: an attacker can supply a name argument containing shell metacharacters (e.g., &, |, ;). A proof-of-concept demo from Snyk uses the string "& touch Song" to execute the touch command [3]. No authentication or special privileges are required; the vulnerability is triggered simply by calling the library with a crafted argument.
A successful attack results in arbitrary command execution with the privileges of the Node.js process. This can lead to data exfiltration, malware installation, or full system compromise, depending on the environment.
No patched version of git-add-remote is available; the package appears to be unmaintained. Users are advised to avoid using it or to implement strict input validation and sanitization as a workaround [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
git-add-remotenpm | <= 1.0.0 | — |
Affected products
2- git-add-remote/git-add-remotedescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The package does not neutralize special shell characters in the `name` argument before constructing an OS command."
Attack vector
An attacker can inject arbitrary OS commands by supplying a crafted `name` argument to the `git-add-remote` function. The package fails to sanitize or escape the user-supplied name before passing it to a shell command, enabling command injection [CWE-78]. No authentication or special network access is required beyond the ability to call the vulnerable API.
Affected code
The vulnerability exists in the `git-add-remote` npm package up to version 1.0.0. The advisory points to `index.js#L21` as the affected code location [ref_id=1].
What the fix does
The advisory does not include a published patch. The recommended remediation is to avoid passing unsanitized user input into shell commands, or to use a safe API that does not spawn a shell. Without a fix, users must manually validate or escape the `name` argument before calling `git-add-remote`.
Preconditions
- inputThe attacker must be able to supply the `name` argument to the `git-add-remote` function.
Generated on May 30, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-h9v8-rm3m-5h5fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-7630ghsaADVISORY
- github.com/jonschlinkert/git-add-remote/blob/master/index.jsmitrex_refsource_MISC
- github.com/jonschlinkert/git-add-remote/blob/master/index.jsghsaWEB
- snyk.io/vuln/SNYK-JS-GITADDREMOTE-564269ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.