Command Injection Affecting async-git package, versions <1.13.1
Snyk CVSS
Attack Complexity
Low
Confidentiality
High
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
2.06% (89th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-ASYNCGIT-1063505
- published 22 Jan 2021
- disclosed 22 Jan 2021
- credit Omri Lotan
Introduced: 22 Jan 2021
CVE-2021-3190 Open this link in a new tabHow to fix?
Upgrade async-git
to version 1.13.1 or higher.
Overview
async-git is a 👾 Retrieve data from current git repository
Affected versions of this package are vulnerable to Command Injection via shell metacharacters, as demonstrated by git.reset
and git.tag
.
POC
git.reset('; touch HACKED #'); // file "HACKED" was created
git.tag('; touch HACKED #'); // file "HACKED" was created