Command Injection
Description
The package cocoapods-downloader before 1.6.0, from 1.6.2 and before 1.6.3 are vulnerable to Command Injection via git argument injection. When calling the Pod::Downloader.preprocess_options function and using git, both the git and branch parameters are passed to the git ls-remote subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The cocoapods-downloader gem before 1.6.0 and between 1.6.2 and 1.6.3 is vulnerable to command injection via git argument injection in the preprocess_options function.
Vulnerability
The cocoapods-downloader gem prior to version 1.6.0 and versions from 1.6.2 to 1.6.3 (exclusive) is vulnerable to command injection through git argument injection. The vulnerability exists in the Pod::Downloader.preprocess_options function, where both the :git and :branch parameters are passed to the git ls-remote subcommand without proper validation, allowing attackers to set additional flags [1][2][4].
Exploitation
An attacker who can control the :git or :branch input to the preprocess_options function can inject additional flags (e.g., arguments starting with -- or containing --). Since these inputs are directly concatenated into the command line executed by the system, the attacker can inject arbitrary commands [2][3]. No authentication is required if the attacker can provide the options to the downloader; this could occur through a manipulated Podfile or a malicious spec repository.
Impact
Successful exploitation allows the attacker to execute arbitrary commands on the system running the CocoaPods downloader. This can lead to full compromise of the environment, including data exfiltration, file modification, or further lateral movement, depending on the privileges of the process [1][4].
Mitigation
The vulnerability is fixed in version 1.6.0 and version 1.6.3 of the cocoapods-downloader gem [1][2]. The fix adds input validation via the validate_input method, which raises a DownloaderError if the input contains arguments starting with -- or containing -- [3]. Users should upgrade to at least version 1.6.0 or 1.6.3. No workaround is available for unfixed versions.
- NVD - CVE-2022-24440
- Adds a check for command injections in the input for hg and git by orta · Pull Request #124 · CocoaPods/cocoapods-downloader
- Merge pull request #124 from CocoaPods/raise_on_cmd_inj · CocoaPods/cocoapods-downloader@b70bc39
- ruby-advisory-db/gems/cocoapods-downloader/CVE-2022-24440.yml at master · rubysec/ruby-advisory-db
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
cocoapods-downloaderRubyGems | < 1.6.0 | 1.6.0 |
cocoapods-downloaderRubyGems | >= 1.6.2, < 1.6.3 | 1.6.3 |
Affected products
2- cocoapods-downloader/cocoapods-downloaderdescription
Patches
252a0d5446493Merge pull request #128 from CocoaPods/validate_before_dl
2 files changed · +12 −0
lib/cocoapods-downloader/git.rb+6 −0 modified@@ -23,9 +23,15 @@ def checkout_options def self.preprocess_options(options) return options unless options[:branch] + input = [options[:git], options[:commit]].map(&:to_s) + invalid = input.compact.any? { |value| value.start_with?('--') || value.include?(' --') } + raise DownloaderError, "Provided unsafe input for git #{options}." if invalid + command = ['ls-remote', + '--', options[:git], options[:branch]] + output = Git.execute_command('git', command) match = commit_from_ls_remote output, options[:branch]
spec/git_spec.rb+6 −0 modified@@ -289,6 +289,12 @@ def ensure_only_one_ref(folder) new_options = Downloader.preprocess_options(options) new_options[:branch].should == 'aaaa' end + + it 'throws when proving an invalid input' do + options = { :git => '--upload-pack=touch ./HELLO1;', :branch => 'foo' } + e = lambda { Downloader.preprocess_options(options) }.should.raise DownloaderError + e.message.should.match /Provided unsafe input/ + end end describe ':bad input' do
b70bc39c7564Merge pull request #124 from CocoaPods/raise_on_cmd_inj
5 files changed · +53 −1
lib/cocoapods-downloader/git.rb+8 −1 modified@@ -21,6 +21,7 @@ def checkout_options end def self.preprocess_options(options) + validate_input options return options unless options[:branch] command = ['ls-remote', @@ -57,7 +58,13 @@ def self.commit_from_ls_remote(output, branch_name) match[1] unless match.nil? end - private_class_method :commit_from_ls_remote + def self.validate_input(options) + input = [options[:git], options[:branch], options[:commit], options[:tag]] + invalid = input.compact.any? { |value| value.start_with?('--') || value.include?(' --') } + raise DownloaderError, "Provided unsafe input for git #{options}." if invalid + end + + private_class_method :commit_from_ls_remote, :validate_input private
lib/cocoapods-downloader/mercurial.rb+13 −0 modified@@ -18,6 +18,19 @@ def checkout_options end end + def self.preprocess_options(options) + validate_input options + options + end + + def self.validate_input(options) + input = [options[:hg], options[:revision], options[:branch], options[:tag]].map(&:to_s) + invalid = input.compact.any? { |value| value.start_with?('--') || value.include?(' --') } + raise DownloaderError, "Provided unsafe input for hg #{options}." if invalid + end + + private_class_method :validate_input + private executable :hg
README.markdown+4 −0 modified@@ -72,6 +72,10 @@ All CocoaPods development happens on GitHub, there is a repository for [CocoaPod Follow [@CocoaPods](http://twitter.com/CocoaPods) to get up to date information about what's going on in the CocoaPods world. +## Development + +You need to have `svn`, `bzr`, `hg` and `git` installed to run the specs. There are some specs which require `hdiutil` which will only run on macOS. + ## License This gem and CocoaPods are available under the MIT license.
spec/git_spec.rb+20 −0 modified@@ -290,6 +290,26 @@ def ensure_only_one_ref(folder) new_options[:branch].should == 'aaaa' end end + + describe ':bad input' do + it 'bails when you provide a bad input' do + options = { :git => '--upload-pack=touch ./HELLO1;', :branch => 'foo' } + e = lambda { Downloader.preprocess_options(options) }.should.raise DownloaderError + e.message.should.match /Provided unsafe input/ + end + + it 'bails when you provide a bad input after valid input' do + options = { :git => 'github.com --upload-pack=touch ./HELLO1;', :branch => 'foo' } + e = lambda { Downloader.preprocess_options(options) }.should.raise DownloaderError + e.message.should.match /Provided unsafe input/ + end + + it 'bails with other fields' do + options = { :branch => '--upload-pack=touch ./HELLO1;', :git => 'foo' } + e = lambda { Downloader.preprocess_options(options) }.should.raise DownloaderError + e.message.should.match /Provided unsafe input/ + end + end end end end
spec/mercurial_spec.rb+8 −0 modified@@ -106,5 +106,13 @@ module Downloader new_options.should == options end end + + describe ':bad input' do + it 'bails when you provide a bad input' do + options = { :hg => '--config=alias.clone=!touch ./HELLO2;' } + e = lambda { Downloader.preprocess_options(options) }.should.raise DownloaderError + e.message.should.match /Provided unsafe input/ + end + end end end
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-7627-mp87-jf6qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-24440ghsaADVISORY
- github.com/CocoaPods/cocoapods-downloader/commit/52a0d54464932a90ded5a59c71a016e8dec0ca84ghsaWEB
- github.com/CocoaPods/cocoapods-downloader/commit/b70bc39c75645aa6d4a01a3ca6de40477c84f4b5ghsaWEB
- github.com/CocoaPods/cocoapods-downloader/pull/124ghsax_refsource_MISCWEB
- github.com/CocoaPods/cocoapods-downloader/pull/128ghsax_refsource_MISCWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/cocoapods-downloader/CVE-2022-24440.ymlghsaWEB
- snyk.io/vuln/SNYK-RUBY-COCOAPODSDOWNLOADER-2414278ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.