Remote Code Execution (RCE)
Description
All versions of the npm 'git' package are vulnerable to remote code execution via unsanitized input to the Git.git method.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
All versions of the npm 'git' package are vulnerable to remote code execution via unsanitized input to the Git.git method.
Vulnerability
The git npm package (all versions) is vulnerable to Remote Code Execution (RCE) due to missing sanitization in the Git.git method. The method does not properly separate intended git commands from arbitrary OS commands, allowing an attacker to inject shell metacharacters. The vulnerable code path is reachable whenever user-controlled input is passed to repo.git() without validation. No fixed version exists [1][2].
Exploitation
An attacker needs the ability to supply a string to the Git.git method. The proof-of-concept demonstrates that passing a string such as "version; date" results in execution of both the git version command and the date OS command. The attacker does not require a valid Git repository to be present; the method executes the input directly via a shell. The steps are: create a script that calls repo.git(user_input), install the git package, and run the script [1][2].
Impact
Successful exploitation allows an attacker to execute arbitrary OS commands with the privileges of the Node.js process. This can lead to full system compromise, data exfiltration, or further lateral movement within the environment. The impact is critical as it bypasses the intended command restriction and provides direct shell access [1][2].
Mitigation
As of the latest disclosure, no patched version of the git package has been released. The package appears to be unmaintained. Users should avoid using the git package entirely and migrate to a maintained alternative such as simple-git or isomorphic-git. No workaround exists that does not involve replacing the package. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog [1][2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gitnpm | <= 0.1.5 | — |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing sanitization in the Git.git method allows shell metacharacters in user input to execute arbitrary OS commands."
Attack vector
An attacker provides a string containing shell metacharacters (e.g., a semicolon) as the first argument to `repo.git()`. The `Git.git` method concatenates this input directly into an OS command string without sanitization, so input like `"version; date"` executes both `git version` and the injected `date` command. No authentication or special network access is required; the attacker only needs to control the argument passed to the method. The target Git repository does not need to exist for the exploit to succeed [ref_id=1][ref_id=2].
Affected code
The vulnerability resides in the `Git.git` method of the `git` npm package. The method does not sanitize user-supplied input before passing it to an OS command execution context, allowing arbitrary shell commands to be injected alongside intended git commands.
What the fix does
No fix has been published for the `git` package [ref_id=2]. The advisory recommends avoiding the package or ensuring that any user-supplied input passed to `Git.git` is strictly validated to contain only expected git subcommands and arguments, with shell metacharacters rejected. Without a patch, the only remediation is to stop using the vulnerable method with untrusted input.
Preconditions
- inputThe attacker must be able to supply a string argument to the Git.git method (e.g., via user input or an API parameter).
- configThe vulnerable 'git' npm package must be installed and used in the application.
Reproduction
1. Create a file named `exploit.js` with the following content: ```js var Git = require("git").Git; var repo = new Git("repo-test"); var user_input = "version; date"; repo.git(user_input, function(err, result) { console.log(result); }) ``` 2. In the same directory, run `npm install git`. 3. Run `node exploit.js`. The output will show both the git version and the result of the `date` command. The `repo-test` Git repository does not need to exist [ref_id=1][ref_id=2].
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/advisories/GHSA-9gqr-xp86-f87hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-23632ghsaADVISORY
- snyk.io/vuln/SNYK-JS-GIT-1568518ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.