CVE-2025-11148
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-30

Last updated on: 2025-10-02

Assigner: Snyk

Description
All versions of the package check-branches are vulnerable to Command Injection check-branches is a command-line tool that is interacted with locally, or via CI, to confirm no conflicts exist in git branches. However, the library follows these conventions which can be abused: 1. It trusts branch names as they are (plain text) 2. It spawns git commands by concatenating user input Since a branch name is potentially a user input - as users can create branches remotely via pull requests, or simply due to privileged access to a repository - it can effectively be abused to run any command.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-30
Last Modified
2025-10-02
Generated
2026-06-16
AI Q&A
2025-09-30
EPSS Evaluated
2026-06-15
NVD
CVE-2025-11148
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
npm check-branches 0.0.19
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-11148 is a critical command injection vulnerability in the check-branches npm package (version 0.0.19 and earlier). The tool, which checks for conflicts between git branches, trusts branch names as plain text and constructs git commands by concatenating user input without sanitization. Since branch names can be controlled by users (e.g., via pull requests or repository access), an attacker can craft malicious branch names containing shell commands. When check-branches processes these branch names, it executes the injected commands on the host system, allowing arbitrary OS command execution. [1, 2]

Impact Analysis

This vulnerability allows an attacker who can create or modify git branches in a repository to execute arbitrary OS commands on the system running check-branches. This can lead to a total loss of confidentiality, integrity, and availability of the affected system. For example, an attacker can run malicious commands remotely without any privileges or user interaction, potentially compromising the entire host environment. [1, 2]

Detection Guidance

This vulnerability can be detected by checking for the presence of the vulnerable check-branches package (version 0.0.19 or earlier) and by looking for suspicious branch names that contain shell command syntax. One practical detection method is to attempt creating a branch with a payload such as `";{echo,hello,world}>/tmp/d"` and then running check-branches to see if the file `/tmp/d` is created, indicating command injection. Additionally, monitoring for unexpected files or commands executed during check-branches runs can help detect exploitation. [1, 2]

Mitigation Strategies

Immediate mitigation steps include restricting who can create or modify Git branches to trusted users only, avoiding running check-branches on repositories where branch names are not fully controlled or sanitized, and monitoring for suspicious branch names. Since no fixed version is currently available, avoid using check-branches in untrusted environments or consider alternative tools that properly sanitize branch names. Additionally, review and sanitize branch names before passing them to any commands. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11148. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart