`git-comiters` Command Injection vulnerability
Description
git-commiters is a Node.js function module providing committers stats for their git repository. Prior to version 0.1.2, there is a command injection vulnerability in git-commiters. This vulnerability manifests with the library's primary exported API: gitCommiters(options, callback) which allows specifying options such as cwd for current working directory and revisionRange as a revision pointer, such as HEAD. However, the library does not sanitize for user input or practice secure process execution API to separate commands from their arguments and as such, uncontrolled user input is concatenated into command execution. This issue has been patched in version 0.1.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A command injection vulnerability in the git-commiters npm package allows attackers to inject arbitrary shell commands via unsanitized revisionRange input before version 0.1.2.
Root
Cause
The git-commiters npm package up to version 0.1.1 contains a command injection vulnerability in its primary API, gitCommiters(options, callback). The options.revisionRange parameter is directly concatenated into a shell command without proper sanitization or use of a secure process execution API that separates commands from arguments [1][2]. This allows an attacker to inject arbitrary shell commands when the library constructs and executes a git command using child_process or similar functions.
Exploitation
The vulnerability can be exploited by providing a malicious revisionRange value. For example, setting revisionRange: "HEAD; touch /tmp/pwn; #" will cause the library to execute git with the injected command touch /tmp/pwn, creating a file on the filesystem [2]. No authentication or special privileges are required beyond the ability to control the options object passed to gitCommiters(). The library's normal operation continues, making the injection potentially stealthy [2].
Impact
Successful exploitation allows an attacker to execute arbitrary commands on the system running the vulnerable package, with the same privileges as the Node.js process [1][2]. This can lead to full system compromise, data exfiltration, or further lateral movement, depending on the environment.
Remediation
The issue has been patched in version 0.1.2 by sanitizing the revisionRange input—removing single and double quotes and wrapping the value in quotes—to prevent injection [4]. Users are strongly advised to update to version 0.1.2 or later [1][2].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
git-commitersnpm | < 0.1.2 | 0.1.2 |
Affected products
1- snowyu/git-commiters.jsv5Range: < 0.1.2
Patches
17f0abfedbf50fix: Command Injection vulnerability reported by lirantal
1 file changed · +6 −0
src/git-log.coffee+6 −0 modified@@ -11,6 +11,12 @@ module.exports = (aOptions, done)-> if aOptions revRange = aOptions.revisionRange path = aOptions.path + if typeof revRange == 'string' + revRange = revRange.replace /['"]+/g, '' + if revRange + revRange = '"' + revRange + '"' + else + revRange = null gitCmd = 'git' gitDir = isRepositoryExists aOptions
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-g38c-wxjf-xrh6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-59831ghsaADVISORY
- github.com/snowyu/git-commiters.js/commit/7f0abfedbf506e3a61ac875d91324a8dbe756e84ghsax_refsource_MISCWEB
- github.com/snowyu/git-commiters.js/security/advisories/GHSA-g38c-wxjf-xrh6ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.