CVE-2023-26134
Description
A command injection vulnerability in git-commit-info before 2.0.2 allows attackers to execute arbitrary commands via an unsanitized commit hash parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A command injection vulnerability in git-commit-info before 2.0.2 allows attackers to execute arbitrary commands via an unsanitized commit hash parameter.
Root
Cause
The git-commit-info package before version 2.0.2 is vulnerable to command injection because the gitCommitInfo() method does not sanitize the user-supplied commit parameter before passing it to a sensitive command exec API [1][3]. The package constructs a shell command using the commit hash without validating it, allowing an attacker to inject arbitrary shell metacharacters.
Attack
Vector
An attacker who can control the commit hash value—for example, by supplying a malicious commit string directly or through application logic that accepts user input as the hash—can inject additional commands. A proof-of-concept (PoC) demonstrates that appending " || touch ci ||" to a valid hash causes the shell to execute the injected touch ci command [3].
Impact
Successful exploitation allows arbitrary command execution in the context of the application. The attacker could perform actions such as file creation, data exfiltration, or further system compromise. The vulnerable method is widely used in Node.js projects to retrieve commit information [4].
Mitigation
The issue has been patched in version 2.0.2 by adding a hash validation regex (/^[0-9a-f]{7,40}$/) that rejects any non-hexadecimal input before executing the command [2]. Users should upgrade to at least version 2.0.2. No workaround is available for earlier versions.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
git-commit-infonpm | < 2.0.2 | 2.0.2 |
Affected products
2- git-commit-info/git-commit-infodescription
Patches
1f7c491ede51fFix: validate commit hashes before executing them | closes #24
2 files changed · +14 −0
index.ts+5 −0 modified@@ -20,6 +20,7 @@ export interface GitCommitInfoResult { } const regex = /\s+([\s\S]*)/g; // matches everything after the first whitespace +const hashRegex = /^[0-9a-f]{7,40}$/; const gitCommitInfo = (options: GitCommitInfoOptions = {}): GitCommitInfoResult => { const { @@ -29,6 +30,10 @@ const gitCommitInfo = (options: GitCommitInfoOptions = {}): GitCommitInfoResult const thisCommit = commit || ''; const thisPath = path.resolve(cwd); + if ((thisCommit && !(new RegExp(hashRegex).test(thisCommit)))) { + return { error: new Error('Not a valid commit hash') }; + } + if (!isGit(thisPath)) { return {}; }
__tests__/test.spec.ts+9 −0 modified@@ -93,3 +93,12 @@ test('no git repo', () => { expect(latestInfo).toEqual({}); }); + +test('ignore invalid commits | #24', () => { + const latestInfo = gitCommitInfo({ + cwd: path.join(fixtures, 'merge'), + commit: '82442c2405804d7aa44e7bedbc0b93bb17707626 || touch ci ||', + }); + + expect(latestInfo.error).toBeInstanceOf(Error); +});
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-h42j-mrmp-9369ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-26134ghsaADVISORY
- github.com/JPeer264/node-git-commit-info/commit/f7c491ede51f886a988af9b266797cb24591d18cghsaWEB
- github.com/JPeer264/node-git-commit-info/issues/24ghsaWEB
- security.snyk.io/vuln/SNYK-JS-GITCOMMITINFO-5740174ghsaWEB
- www.npmjs.com/package/execa/v/5.1.0ghsaWEB
News mentions
0No linked articles in our index yet.