Command Injection vulnerability in git-interface@2.1.1 in yarkeev/git-interface
Description
Command injection in git-interface before 2.1.2 allows RCE via crafted --upload-pack argument in git clone.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Command injection in git-interface before 2.1.2 allows RCE via crafted --upload-pack argument in git clone.
Vulnerability
In git-interface versions prior to 2.1.2, the .clone() method did not sanitize user-supplied repository or dest parameters before passing them to git clone. The --upload-pack argument is accepted by git clone, allowing an attacker to inject arbitrary operating system commands if they control either parameter. Versions affected: all before 2.1.2 [1][2].
Exploitation
An attacker can supply a crafted repository string (e.g., '--upload-pack=id') or dest string that includes command-line flags. No authentication is required if the application exposes the clone functionality to unauthenticated users. The attacker only needs to control one of the two parameters; the command is then executed by the git process [1][3].
Impact
Successful exploitation results in remote code execution (RCE) with the privileges of the Node.js process. The attacker can execute arbitrary OS commands, potentially leading to full system compromise, data exfiltration, or lateral movement [1].
Mitigation
Upgrade to git-interface version 2.1.2 or later, released on 2022-04-22. The fix separates repository and destination arguments using -- and removes the ability to inject extra flags [3]. No workaround is available for earlier versions; immediate upgrade is recommended.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
git-interfacenpm | < 2.1.2 | 2.1.2 |
Affected products
2- yarkeev/yarkeev/git-interfacev5Range: unspecified
Patches
1f828aa790016fix potential vulnerability with git clone
2 files changed · +7 −8
package.json+4 −3 modified@@ -1,6 +1,6 @@ { "name": "git-interface", - "version": "2.1.1", + "version": "2.1.2", "description": "some interfaces for work with git repository", "main": "dist/index", "typings": "dist/index", @@ -9,7 +9,7 @@ "build": "npm run clean && npm run ts", "dev": "npm run clean && ./node_modules/.bin/tsc -w", "ts": "./node_modules/.bin/tsc", - "prepublish": "npm run build" + "prepublishOnly": "npm run build && bump" }, "repository": { "type": "git", @@ -35,6 +35,7 @@ "homepage": "https://github.com/yarkeev/git-interface", "devDependencies": { "@types/node": "^10.10.3", - "typescript": "^3.0.3" + "typescript": "^3.0.3", + "version-bump-prompt": "^6.1.0" } }
src/index.ts+3 −5 modified@@ -61,12 +61,10 @@ export class Git extends EventEmitter{ } public clone(repository: string, dest: string, options?: { depth?: number}) { - const opt = options || { depth: Infinity } + const depthOption = opt.depth !== Infinity ? `--depth=${opt.depth}` : ''; - const depthOption = opt.depth !== Infinity ? ` --depth=${opt.depth}` : ''; - - return this.gitExec(`clone ${repository} ${dest}${depthOption}`); + return this.gitExec(`clone ${depthOption} -- ${repository} ${dest}`); } public checkout(branchName: string) { @@ -309,4 +307,4 @@ export class Git extends EventEmitter{ }); } -} \ No newline at end of file +}
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-qffw-8wg7-h665ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-1440ghsaADVISORY
- github.com/yarkeev/git-interface/commit/f828aa790016fee3aa667f7b44cf94bf0aa8c60dghsax_refsource_MISCWEB
- huntr.dev/bounties/cdc25408-d3c1-4a9d-bb45-33b12a715ca1ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.