CVE-2021-44685
Description
Git-it through 4.4.0 is vulnerable to OS command injection in the Branches Aren't Just For Birds challenge step due to unsanitized branch name input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Git-it through 4.4.0 is vulnerable to OS command injection in the Branches Aren't Just For Birds challenge step due to unsanitized branch name input.
Vulnerability
CVE-2021-44685 describes an OS command injection vulnerability in Git-it through version 4.4.0, specifically in the "Branches Aren't Just For Birds" challenge step [1]. During the verification process for this challenge, the application attempts to run the reflog command followed by the current branch name. The branch name is not sanitized before being passed to the command execution, allowing an attacker to inject arbitrary OS commands [1][2].
Exploitation
An attacker must be able to create or control a Git branch name containing shell metacharacters. The attack is triggered when a user opens the affected challenge step and the application automatically runs the reflog verification process with the unsanitized branch name [1][2]. No authentication is required beyond the ability to contribute to the repository; a user could simply clone the repository, create a malicious branch, and push it to a shared remote, expecting other Git-it users to fetch and attempt the challenge [2].
Impact
Successful exploitation allows the attacker to execute arbitrary OS commands with the privileges of the Git-it application process. This could lead to full compromise of the user's system, including data exfiltration, installation of malware, or privilege escalation [1][2]. The impact is rated high due to the ease of exploitation and potential for complete system takeover.
Mitigation
As of the available references, no official patch or fixed version has been released for Git-it [4]. Users should consider discontinuing use of Git-it, especially for the affected challenge step, and monitor the project's release page for updates [3][4]. No workaround is documented; the safest approach is to avoid the vulnerable functionality until a fix is provided.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
git-it-electronnpm | <= 4.3.0 | — |
Affected products
2- Git-it/Git-itdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application does not sanitize the current Git branch name before interpolating it into a shell command during the verification step of the "Branches Aren't Just For Birds" challenge."
Attack vector
An attacker can create a Git repository with a branch name containing shell metacharacters (e.g., backticks, semicolons, or command substitution syntax). When the user runs the Git-it verification process for the "Branches Aren't Just For Birds" challenge, the application constructs a command like `git reflog <branch-name>` using the unsanitized branch name [ref_id=1]. The shell interprets the injected metacharacters, allowing arbitrary OS command execution on the victim's machine [CWE-78]. No authentication is required beyond the ability to set a branch name in a local Git repository.
Affected code
The vulnerable code is in the Git-it Electron repository at `lib/verify/branches_arent_just_for_birds.js`, line 55 [ref_id=1]. This file handles the verification logic for the "Branches Aren't Just For Birds" challenge step and constructs a shell command using the current Git branch name without sanitization.
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] identifies the vulnerable code path at `lib/verify/branches_arent_just_for_birds.js` line 55 in the Git-it Electron repository. The remediation would require sanitizing or escaping the branch name before passing it to the shell command, or using an API that avoids shell interpretation entirely (e.g., passing arguments as an array to `child_process.spawn` instead of a string to `child_process.exec`).
Preconditions
- configThe victim must be running Git-it 4.4.0 or earlier and must open the 'Branches Aren't Just For Birds' challenge.
- inputThe attacker must be able to set or influence the current Git branch name (e.g., by cloning a malicious repository or convincing the victim to create a branch with a crafted name).
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-wjqc-j537-j9gjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-44685ghsaADVISORY
- advisory.dw1.io/3ghsaWEB
- github.com/dwisiswant0/advisory/issues/3ghsax_refsource_MISCWEB
- github.com/jlord/git-it-electron/releasesghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.