CVE-2021-3190

The vulnerability in the async-git package (versions before 1.13.2) stems from passing untrusted user input directly to git commands executed via a shell. This allows an attacker to inject arbitrary OS commands by including shell metacharacters in function arguments such as those for git.reset and git.tag.

The attack vector requires an attacker to control input that is passed to these git wrapper functions. No authentication is needed if the application exposes these functions to untrusted users. The injection occurs because the package used exec or similar methods that invoke a shell rather than using spawn with arguments, which prevents shell interpretation.

Successful exploitation allows an attacker to execute arbitrary commands on the host system with the privileges of the Node.js process. This could lead to full remote code execution, data exfiltration, or further compromise of the server.

A fix was implemented in version 1.13.2 by switching to spawn instead of a shell-based execution, as shown in pull request #14 [2]. Users should update the package immediately; no workaround is available besides updating.

## References 1. NVD - CVE-2021-3190 [1] 2. GitHub Pull Request #14 (fix) [2] 3. GitHub Pull Request #13 (test for vulnerability) [3] and its commit [4]

Citations

The analysis above cites references [1], [2], [3], and [4].