CVE-2021-34081
Description
OS Command Injection vulnerability in bbultman gitsome through 0.2.3 allows attackers to execute arbitrary commands via a crafted tag name of the target git repository.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A command injection vulnerability in bbultman gitsome up to 0.2.3 lets attackers execute arbitrary OS commands via a crafted git tag name.
Vulnerability
A command injection vulnerability exists in the bbultman gitsome package through version 0.2.3 [1]. The bug occurs in the handling of tag names when interacting with a target Git repository. By crafting a malicious tag name containing shell metacharacters, an attacker can cause the application to pass unsanitized input to an OS command, leading to arbitrary command execution [2]. The vulnerable code paths are reachable when the application processes tags from the repository, such as when listing or checking out tags [2]. All versions up to and including 0.2.3 are affected [1].
Exploitation
Exploitation requires the attacker to be able to set a tag name on the target Git repository that the gitsome instance will process [2]. This could be accomplished by contributing a tag to a public repository or by manipulating a private repository the user interacts with. The attacker does not need special authentication to gitsome itself, but the vulnerable function must be triggered (e.g., by the user running a command that lists or fetches tags). The crafted tag name includes shell metacharacters (such as backticks or command substitution), which are then interpolated into an OS command without proper sanitization, leading to command injection [2].
Impact
Successful exploitation allows the attacker to execute arbitrary OS commands with the privileges of the user running gitsome [2]. This can lead to full compromise of the local system, including unauthorized data access, file modification, or installation of malware. The impact is limited only by the user's permissions and the sandbox of the shell environment. No additional authentication is required beyond the ability to set a tag name in the target Git repository [2].
Mitigation
As of the last available advisories, no patched version has been released; the maintainer was informed and a fix was planned but not confirmed as available in the published references [2]. Users should consider switching to alternative tools or manually sanitizing tag names before processing them with gitsome. The package may be considered unmaintained or at end-of-life, and no CVE-associated kev entry exists [1, 2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gitsomenpm | <= 0.2.3 | — |
Affected products
3- bbultman/gitsomedescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-9v73-x562-wv5xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-34081ghsaADVISORY
- advisory.checkmarx.net/advisory/CX-2021-4780ghsax_refsource_MISCWEB
- www.npmjs.com/package/gitsomeghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.