Critical severityNVD Advisory· Published May 13, 2022· Updated Sep 16, 2024
Command Injection
CVE-2022-25865
Description
The package workspace-tools before 0.18.4 are vulnerable to Command Injection via git argument injection. When calling the fetchRemoteBranch(remote: string, remoteBranch: string, cwd: string) function, both the remote and remoteBranch parameters are passed to the git fetch subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
workspace-toolsnpm | < 0.18.4 | 0.18.4 |
Affected products
1- Range: unspecified
Patches
19bc7e65ce497Fix git fetch - addresses a potential security concern regarding git fetch (#103)
2 files changed · +9 −2
change/workspace-tools-01b53966-7f59-4ab9-abd7-ac355a7ae3b1.json+7 −0 added@@ -0,0 +1,7 @@ +{ + "type": "patch", + "comment": "fixes a potential security issue where fetch --upload-pack can allow for command injection", + "packageName": "workspace-tools", + "email": "kchau@microsoft.com", + "dependentChangeType": "patch" +}
src/git.ts+2 −2 modified@@ -118,15 +118,15 @@ export function getUntrackedChanges(cwd: string) { } export function fetchRemote(remote: string, cwd: string) { - const results = git(["fetch", remote], { cwd }); + const results = git(["fetch", "--", remote], { cwd }); if (!results.success) { throw gitError(`Cannot fetch remote: ${remote}`); } } export function fetchRemoteBranch(remote: string, remoteBranch: string, cwd: string) { - const results = git(["fetch", remote, remoteBranch], { cwd }); + const results = git(["fetch", "--", remote, remoteBranch], { cwd }); if (!results.success) { throw gitError(`Cannot fetch remote: ${remote} ${remoteBranch}`);
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-5875-m6jq-vf78ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-25865ghsaADVISORY
- github.com/microsoft/workspace-tools/commit/9bc7e65ce497f87e1f363fd47b8f802f3d3cd978ghsax_refsource_MISCWEB
- github.com/microsoft/workspace-tools/pull/103ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-WORKSPACETOOLS-2421201ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.