Command Injection
Description
libvcs before 0.11.1 allows command injection via argument injection in the hg clone command through the url parameter in update_repo.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
libvcs before 0.11.1 allows command injection via argument injection in the hg clone command through the url parameter in update_repo.
Vulnerability
The vulnerability exists in libvcs versions before 0.11.1. When the update_repo function is called with Mercurial (hg), the url parameter is passed directly to the hg clone command. An attacker can inject hg options (e.g., --config) into the URL, leading to arbitrary command execution. Affected versions: all prior to 0.11.1. [2][3]
Exploitation
An attacker needs control over the url parameter supplied to update_repo when using hg. No authentication is required if the function is exposed to user input. By injecting hg options such as --config or --ssh, the attacker can execute arbitrary commands on the host system. [3]
Impact
Successful exploitation results in arbitrary command execution with the privileges of the process running libvcs. This can lead to full system compromise, data exfiltration, or lateral movement within the environment. [3]
Mitigation
The issue is fixed in libvcs version 0.11.1, released on 2022-03-12. Users should upgrade to 0.11.1 or later. No workaround is available. The fix is referenced in the vcspull commit [4] and changelogs [1][2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
libvcsPyPI | < 0.11.1 | 0.11.1 |
vcspullPyPI | < 1.11.1 | 1.11.1 |
Affected products
3- libvcs/libvcsdescription
- ghsa-coords2 versions
< 0.11.1+ 1 more
- (no CPE)range: < 0.11.1
- (no CPE)range: < 1.11.1
Patches
1e1b77128a1fabuild(deps): Bump libvcs 0.11.0 -> 0.11.1 for hg URL vuln
2 files changed · +5 −5
poetry.lock+4 −4 modified@@ -258,7 +258,7 @@ PyYAML = ">=3.13,<6" [[package]] name = "libvcs" -version = "0.11.0" +version = "0.11.1" description = "vcs abstraction layer" category = "main" optional = false @@ -856,7 +856,7 @@ test = [] [metadata] lock-version = "1.1" python-versions = "^3.7" -content-hash = "75f022a19447ba66c67184939ac59a4cda476fdee64bcd4c00370afe7683d3dc" +content-hash = "7145670c9ee9d96c9bc45b608197c75e895469a5efb58fe689afbbad837ce212" [metadata.files] alabaster = [ @@ -1008,8 +1008,8 @@ kaptan = [ {file = "kaptan-0.5.12.tar.gz", hash = "sha256:1abd1f56731422fce5af1acc28801677a51e56f5d3c3e8636db761ed143c3dd2"}, ] libvcs = [ - {file = "libvcs-0.11.0-py3-none-any.whl", hash = "sha256:7e84a7a3b12cc2b5e72e0fc6e61a6be74a743f791e9e62e71b8d4a7f364d032c"}, - {file = "libvcs-0.11.0.tar.gz", hash = "sha256:4400653964eb5bfdd8caead183cdfe7812b6a6763ffc7ab2711cdeaa47018590"}, + {file = "libvcs-0.11.1-py3-none-any.whl", hash = "sha256:2efcf73ea35e0bae04517b076d9e5f9757ac3aa2a076b9f8da14e76135afd4be"}, + {file = "libvcs-0.11.1.tar.gz", hash = "sha256:50c71ea28840f8f6aeca09c604987b6cd637b1ab5be445bc3eb7d349db4e4966"}, ] livereload = [ {file = "livereload-2.6.3.tar.gz", hash = "sha256:776f2f865e59fde56490a56bcc6773b6917366bce0c267c60ee8aaf1a0959869"},
pyproject.toml+1 −1 modified@@ -44,7 +44,7 @@ vcspull = 'vcspull:cli.cli' python = "^3.7" click = ">=7<8.1" kaptan = "*" -libvcs = "~0.11.0" +libvcs = "~0.11.1" colorama = ">=0.3.9" [tool.poetry.dev-dependencies]
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-mv2w-4jqc-6fg4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-21187ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/libvcs/PYSEC-2022-163.yamlghsaWEB
- github.com/vcs-python/libvcs/blob/master/CHANGESghsaWEB
- github.com/vcs-python/libvcs/blob/v0.11.1/CHANGES%23libvcs-0111-2022-03-12ghsax_refsource_MISCWEB
- github.com/vcs-python/libvcs/pull/306ghsax_refsource_MISCWEB
- github.com/vcs-python/vcspull/blob/master/CHANGESghsaWEB
- github.com/vcs-python/vcspull/commit/e1b77128a1fa0754625b5f43d8bc47956f21f33eghsaWEB
- snyk.io/vuln/SNYK-PYTHON-LIBVCS-2421204ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.