High severityNVD Advisory· Published Jul 1, 2022· Updated Sep 17, 2024
Command Injection
CVE-2022-25900
Description
All versions of package git-clone are vulnerable to Command Injection due to insecure usage of the --upload-pack feature of git.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
git-clonenpm | <= 0.2.0 | — |
Affected products
1- Package: https://npmjs.com/package/git-clone
Patches
1fd330459593aAdd security notice about args option
1 file changed · +3 −0
README.md+3 −0 modified@@ -25,6 +25,9 @@ As of 0.2.0 there's a promised-based API for use with `async`/`await`: * `checkout`: revision/branch/tag to check out after clone * `args`: additional array of arguments to pass to `git clone` +**NOTE:** the `args` option allows arbitrary arguments to be passed to `git`; this is inherently insecure if used in +combination with untrusted input. **Only use the `args` option with static/trusted input!** + ## Callback #### `clone(repo, targetPath, [options], cb)`
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-8jmw-wjr8-2x66ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-25900ghsaADVISORY
- gist.github.com/lirantal/9441f3a1212728476f7a6caa4acb2cccghsax_refsource_MISCWEB
- github.com/jaz303/git-clone/commit/fd330459593aef7c7a8c54d786e3c4d5722749f9ghsaWEB
- snyk.io/vuln/SNYK-JS-GITCLONE-2434308ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.