High severityNVD Advisory· Published Mar 21, 2022· Updated Sep 16, 2024
Remote Code Execution (RCE)
CVE-2022-25766
Description
The package ungit before 1.5.20 are vulnerable to Remote Code Execution (RCE) via argument injection. The issue occurs when calling the /api/fetch endpoint. User controlled values (remote and ref) are passed to the git fetch command. By injecting some git options it was possible to get arbitrary command execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ungitnpm | < 1.5.20 | 1.5.20 |
Affected products
1Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-hf8c-xr89-vfm5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-25766ghsaADVISORY
- github.com/FredrikNoren/ungit/blob/master/CHANGELOG.md%231520ghsax_refsource_MISCWEB
- github.com/FredrikNoren/ungit/pull/1510ghsax_refsource_MISCWEB
- github.com/FredrikNoren/ungit/pull/1511ghsaWEB
- snyk.io/vuln/SNYK-JS-UNGIT-2414099ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.