CVE-2025-59831
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-25

Last updated on: 2025-10-16

Assigner: GitHub, Inc.

Description
git-commiters is a Node.js function module providing committers stats for their git repository. Prior to version 0.1.2, there is a command injection vulnerability in git-commiters. This vulnerability manifests with the library's primary exported API: gitCommiters(options, callback) which allows specifying options such as cwd for current working directory and revisionRange as a revision pointer, such as HEAD. However, the library does not sanitize for user input or practice secure process execution API to separate commands from their arguments and as such, uncontrolled user input is concatenated into command execution. This issue has been patched in version 0.1.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-25
Last Modified
2025-10-16
Generated
2026-06-19
AI Q&A
2025-09-25
EPSS Evaluated
2026-06-18
NVD
CVE-2025-59831
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
riceball git-commiters to 0.1.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-59831 is a command injection vulnerability in the git-commiters Node.js module (versions prior to 0.1.2). The module provides committers statistics for git repositories and exposes an API that accepts user input such as the revisionRange parameter. This input is not properly sanitized and is concatenated directly into shell commands, allowing an attacker to inject and execute arbitrary commands on the system. The vulnerability was fixed by sanitizing the revisionRange input to remove dangerous characters and safely enclosing it in quotes before command execution. [1, 2]

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary shell commands on the system where git-commiters is used. For example, by supplying a malicious revisionRange value, an attacker could create or modify files, execute unwanted processes, or compromise the system's integrity and confidentiality. The attack can occur without disrupting the normal functionality of the package, making it harder to detect. [2]

Detection Guidance

This vulnerability can be detected by checking if your system is running git-commiters versions prior to 0.1.2. Additionally, you can look for suspicious files created by command injection exploits, such as the example file /tmp/pwn. A practical detection method is to run a test script using a malicious revisionRange input like "HEAD; touch /tmp/pwn; #" on [email protected] or earlier and check if the file /tmp/pwn is created. This indicates the presence of the vulnerability. There are no specific network commands provided, but verifying the installed package version and scanning for unexpected files created by injected commands are recommended steps. [2]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade the git-commiters package to version 0.1.2 or later, where the vulnerability has been patched. The fix involves sanitizing the revisionRange input to prevent command injection by removing quotes and properly quoting the input before command execution. Avoid using vulnerable versions and ensure that user inputs are sanitized or validated before being passed to shell commands. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59831. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart