CVE-2021-44684
Description
github-todos 3.1.0 is vulnerable to command injection via the range argument of the _hook subcommand, enabling arbitrary command execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
github-todos 3.1.0 is vulnerable to command injection via the range argument of the _hook subcommand, enabling arbitrary command execution.
Vulnerability
In github-todos version 3.1.0, the _hook subcommand's --range argument is concatenated into a command string without sanitization and passed to the exec function. This allows an attacker to inject arbitrary shell commands by providing a specially crafted --range value [1][2].
Exploitation
An attacker can exploit this vulnerability by passing a malicious --range argument to the github-todos _hook command. For example, the proof-of-concept payload --range "a..'; touch pwned" will execute the touch pwned command after the intended operation [3]. No authentication is required, but the attacker must be able to invoke the github-todos binary with the crafted argument (e.g., via a command line or automated script).
Impact
Successful exploitation results in arbitrary command execution with the privileges of the user running github-todos. This can lead to full system compromise, including data exfiltration, installation of malware, or lateral movement within the network.
Mitigation
As of the publication date (December 6, 2021), no official patch has been released for CVE-2021-44684. Users are advised to avoid using the _hook subcommand or discontinue use of github-todos until a fix is provided. The software may be flagged for exploitation, and monitoring for unusual command executions is recommended [1][2][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github-todosnpm | <= 3.1.0 | — |
Affected products
2- naholyr/github-todosdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `range` argument for the `_hook` subcommand is concatenated into an OS command without any validation or sanitization, then passed directly to the `exec` function."
Attack vector
An attacker can inject arbitrary OS commands by supplying a crafted `range` argument to the `_hook` subcommand of github-todos [ref_id=1]. The input is concatenated without validation and passed directly to the `exec` function, which executes it as a system command [CWE-78]. No authentication or special network position is required beyond the ability to invoke the vulnerable subcommand with attacker-controlled input.
Affected code
The advisory does not specify exact file paths or function names beyond identifying the `_hook` subcommand and the `exec` function as the vulnerable code path [ref_id=1]. The `range` argument for the `_hook` subcommand is concatenated without validation and directly passed to `exec`.
What the fix does
The advisory does not include a patch or specific remediation code [ref_id=1]. The recommended fix is to properly validate and sanitize the `range` argument before it is used in the `exec` function, or to avoid using `exec` with user-supplied input entirely [CWE-78]. No official patch has been published in the referenced materials.
Preconditions
- inputAttacker must be able to supply the `range` argument to the `_hook` subcommand of github-todos
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-792j-9wj3-j634ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-44684ghsaADVISORY
- advisory.dw1.io/5ghsaWEB
- github.com/dwisiswant0/advisory/issues/5ghsax_refsource_MISCWEB
- github.com/naholyr/github-todos/issues/34mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.