VYPR

npm package

ungit

pkg:npm/ungit

Vulnerabilities (2)

  • CVE-2022-25766Mar 21, 2022
    affected < 1.5.20fixed 1.5.20

    The package ungit before 1.5.20 are vulnerable to Remote Code Execution (RCE) via argument injection. The issue occurs when calling the /api/fetch endpoint. User controlled values (remote and ref) are passed to the git fetch command. By injecting some git options it was possible

  • CVE-2015-4130criAug 31, 2020
    affected < 0.9.0fixed 0.9.0

    Versions of `ungit` prior to 0.9.0 are affected by a command injection vulnerability in the `url` parameter. ## Recommendation Update version 0.9.0 or later.