VYPR
← All advisories
High severityNVD Advisory· Published Jun 8, 2021· Updated Aug 3, 2024

Remote Command Execution in reg-keygen-git-hash-plugin

CVE-2021-32673

Description

reg-keygen-git-hash-plugin is a reg-suit plugin to detect the snapshot key to be compare with using Git commit hash. reg-keygen-git-hash-plugin through and including 0.10.15 allow remote attackers to execute of arbitrary commands. Upgrade to version 0.10.16 or later to resolve this issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
reg-keygen-git-hash-pluginnpm
< 0.10.160.10.16

Affected products

1

Patches

1
f84ad9c7a221

Merge pull request from GHSA-49q3-8867-5wmp

https://github.com/reg-viz/reg-suitYosuke KuramiJun 8, 2021via ghsa
commit
3 files changed · +18 5
  • packages/reg-keygen-git-hash-plugin/package.json+3 1 modified
    @@ -23,10 +23,12 @@
   "repository": "git+https://github.com/reg-viz/reg-suit.git",
   "license": "MIT",
   "dependencies": {
-    "reg-suit-util": "^0.10.15"
+    "reg-suit-util": "^0.10.15",
+    "shell-escape": "^0.2.0"
   },
   "devDependencies": {
     "@types/jest": "26.0.23",
+    "@types/shell-escape": "0.2.0",
     "glob": "7.1.6",
     "jest": "26.6.3",
     "reg-suit-interface": "^0.10.15",
  • packages/reg-keygen-git-hash-plugin/src/git-cmd-client.ts+5 4 modified
    @@ -1,4 +1,5 @@
 import { execSync } from "child_process";
+import shellEscape from "shell-escape";
 
 export class GitCmdClient {
   private _revParseHash: { [key: string]: string } = {};
@@ -19,22 +20,22 @@ export class GitCmdClient {
   }
 
   containedBranches(hash: string): string {
-    return execSync(`git branch -a --contains ${hash}`, { encoding: "utf8" });
+    return execSync(shellEscape(["git", "branch", "-a", "--contains", hash]), { encoding: "utf8" });
   }
 
   logTime(hash: string) {
-    return execSync(`git log --pretty=%ci -n 1 ${hash}`, { encoding: "utf8" });
+    return execSync(shellEscape(["git", "log", "--pretty=%ci", "-n", "1", hash]), { encoding: "utf8" });
   }
 
   logBetween(a: string, b: string) {
-    return execSync(`git log --oneline ${a}..${b}`, { encoding: "utf8" });
+    return execSync(shellEscape(["git", "log", "--oneline", `${a}..${b}`]), { encoding: "utf8" });
   }
 
   logGraph() {
     return execSync('git log -n 300 --graph --pretty=format:"%h %p"', { encoding: "utf8" });
   }
 
   mergeBase(a: string, b: string) {
-    return execSync(`git merge-base -a ${a} ${b}`, { encoding: "utf8" });
+    return execSync(shellEscape(["git", "merge-base", "-a", a, b]), { encoding: "utf8" });
   }
 }
  • yarn.lock+10 0 modified
    @@ -1760,6 +1760,11 @@
     "@types/tough-cookie" "*"
     form-data "^2.5.0"
 
+"@types/shell-escape@0.2.0":
+  version "0.2.0"
+  resolved "https://registry.yarnpkg.com/@types/shell-escape/-/shell-escape-0.2.0.tgz#cd2f0df814388599dd07196dcc510de2669d1ed2"
+  integrity sha512-7kUdtJtUylvyISJbe9FMcvMTjRdP0EvNDO1WbT0lT22k/IPBiPRTpmWaKu5HTWLCGLQRWVHrzVHZktTDvvR23g==
+
 "@types/sinon@10.0.2":
   version "10.0.2"
   resolved "https://registry.yarnpkg.com/@types/sinon/-/sinon-10.0.2.tgz#f360d2f189c0fd433d14aeb97b9d705d7e4cc0e4"
@@ -8073,6 +8078,11 @@ shebang-regex@^3.0.0:
   resolved "https://registry.yarnpkg.com/shebang-regex/-/shebang-regex-3.0.0.tgz#ae16f1644d873ecad843b0307b143362d4c42172"
   integrity sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A==
 
+shell-escape@^0.2.0:
+  version "0.2.0"
+  resolved "https://registry.yarnpkg.com/shell-escape/-/shell-escape-0.2.0.tgz#68fd025eb0490b4f567a027f0bf22480b5f84133"
+  integrity sha1-aP0CXrBJC09WegJ/C/IkgLX4QTM=
+
 shell-quote@^1.6.1:
   version "1.7.1"
   resolved "https://registry.yarnpkg.com/shell-quote/-/shell-quote-1.7.1.tgz#3161d969886fb14f9140c65245a5dd19b6f0b06b"

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.