Command Injection
Description
The git-pull-or-clone package before 2.0.2 is vulnerable to command injection via the --upload-pack argument in git clone.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The git-pull-or-clone package before 2.0.2 is vulnerable to command injection via the --upload-pack argument in git clone.
Vulnerability
In the git-pull-or-clone npm package versions prior to 2.0.2, a command injection vulnerability exists due to improper handling of the --upload-pack feature of git, which is also supported for git clone [1], [2]. The package uses the secure spawn() API to execute git commands, but the outPath parameter is passed as a command-line argument to git clone without proper sanitization, allowing an attacker to inject arbitrary commands [1], [2], [3].
Exploitation
An attacker who can control either the url or the outPath parameter passed to gitPullOrClone() can inject commands by providing a string that begins with --upload-pack= followed by the desired command [2], [3]. For example, setting the outPath to --upload-pack=touch /tmp/pwn3 or the url to --upload-pack=touch /tmp/pwn4 results in the execution of touch [2]. No other authentication or user interaction is required beyond the ability to call the function with attacker-controlled arguments.
Impact
Successful exploitation allows arbitrary command execution on the system where the package is used [1], [2], [3]. The attacker can execute any system command with the privileges of the Node.js process, potentially leading to full system compromise, data exfiltration, or further lateral movement.
Mitigation
The vulnerability is fixed in version 2.0.2 of git-pull-or-clone [3]. Users should upgrade to this version or later. There are no known workarounds; the only mitigation is to update the package [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
git-pull-or-clonenpm | < 2.0.2 | 2.0.2 |
Affected products
2- git-pull-or-clone/git-pull-or-clonedescription
Patches
1f9ce092be13cfix: fix command injection vector
1 file changed · +1 −1
index.js+1 −1 modified@@ -28,7 +28,7 @@ function gitPullOrClone (url, outPath, opts, cb) { function gitClone () { // --depth implies --single-branch const flag = depth < Infinity ? '--depth=' + depth : '--single-branch' - const args = ['clone', flag, url, outPath] + const args = ['clone', flag, '--', url, outPath] debug('git ' + args.join(' ')) spawn('git', args, {}, function (err) { if (err) err.message += ' (git clone) (' + url + ')'
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-3x62-x456-q2vmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-24437ghsaADVISORY
- gist.github.com/lirantal/327e9dd32686991b5a1fa6341aac2e7bghsax_refsource_MISCWEB
- github.com/feross/git-pull-or-clone/commit/f9ce092be13cc32e685dfa26e7705e9c6e3108a3ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-GITPULLORCLONE-2434307ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.