CVE-2025-59831
BaseFortify
Publication date: 2025-09-25
Last updated on: 2025-10-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| riceball | git-commiters | to 0.1.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-59831 is a command injection vulnerability in the git-commiters Node.js module (versions prior to 0.1.2). The module provides committers statistics for git repositories and exposes an API that accepts user input such as the revisionRange parameter. This input is not properly sanitized and is concatenated directly into shell commands, allowing an attacker to inject and execute arbitrary commands on the system. The vulnerability was fixed by sanitizing the revisionRange input to remove dangerous characters and safely enclosing it in quotes before command execution. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary shell commands on the system where git-commiters is used. For example, by supplying a malicious revisionRange value, an attacker could create or modify files, execute unwanted processes, or compromise the system's integrity and confidentiality. The attack can occur without disrupting the normal functionality of the package, making it harder to detect. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your system is running git-commiters versions prior to 0.1.2. Additionally, you can look for suspicious files created by command injection exploits, such as the example file /tmp/pwn. A practical detection method is to run a test script using a malicious revisionRange input like "HEAD; touch /tmp/pwn; #" on [email protected] or earlier and check if the file /tmp/pwn is created. This indicates the presence of the vulnerability. There are no specific network commands provided, but verifying the installed package version and scanning for unexpected files created by injected commands are recommended steps. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade the git-commiters package to version 0.1.2 or later, where the vulnerability has been patched. The fix involves sanitizing the revisionRange input to prevent command injection by removing quotes and properly quoting the input before command execution. Avoid using vulnerable versions and ensure that user inputs are sanitized or validated before being passed to shell commands. [1, 2]