Arbitrary Command Execution Affecting pullit package, versions <1.4.0



    Attack Complexity Low
    User Interaction Required
    Confidentiality High
    Integrity High
    Availability High

    Threat Intelligence

    Exploit Maturity Mature
    EPSS 0.18% (55th percentile)
Expand this section
9.8 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID npm:pullit:20180214
  • published 14 Feb 2018
  • disclosed 13 Feb 2018
  • credit Liran Tal

How to fix?

Upgrade pullit to version 1.4.0 or higher.


pullit is Display and pull branches from GitHub pull requests.

Affected versions of the package are vulnerable to Arbitrary Code Execution. due to an insecure use of the eval() function. Node.js provides the eval() function by default, and is used to translate strings into Javascript code. An attacker can craft a malicious payload to inject arbitrary commands. pullit uses this function in order to call git commands, which originate from user input in terms of a carefully created remote branch name on GitHub, which pullit pulls branch names from.


  • Create a branch that could potentially terminate an exec() command and concatenate to it a new command: git checkout -b ";{echo,hello,world}>/tmp/c”
  • Push it to GitHub and create a pull request with this branch name
  • Run pullit from command line, select the relevant pull request to checkout locally
  • Read the contents of /tmp/c

Disclosure Timeline

  • Oct 24th, 2017 - Initial Disclosure
  • Jan 11th, 2018 - Second Reminder
  • Feb 14th, 2018 - Public GitHub issue opened
  • Feb 14th, 2018 - First response from maintainer
  • Feb 14th, 2018 - Vulnerability published
  • Feb 19th, 2018 - Vulnerability fixed