CVE-2025-66219
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-29

Last updated on: 2025-12-19

Assigner: GitHub, Inc.

Description
willitmerge is a command line tool to check if pull requests are mergeable. In versions 0.2.1 and prior, there is a command Injection vulnerability in willitmerge. The vulnerability manifests in this package due to the use of insecure child process execution API (exec) to which it concatenates user input, whether provided to the command-line flag, or is in user control in the target repository. At time of publication, no known fix is public.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-29
Last Modified
2025-12-19
Generated
2026-06-16
AI Q&A
2025-11-29
EPSS Evaluated
2026-06-15
NVD
CVE-2025-66219
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dontkry willitmerge to 0.2.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in willitmerge versions 0.2.1 and prior is a command injection flaw. It occurs because the tool uses an insecure method (exec) to run child processes, concatenating user input directly into commands. This allows an attacker to inject and execute arbitrary commands via command-line flags or through user-controlled input in the target repository.

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary commands on the system running willitmerge without any privileges or user interaction. This could lead to unauthorized access, data compromise, system manipulation, or disruption of services.

Mitigation Strategies

Since no known fix is public at the time of publication, immediate mitigation steps include avoiding use of willitmerge versions 0.2.1 and prior, especially in environments where untrusted input can be passed to the tool. Additionally, restrict access to the tool and monitor for suspicious activity related to its execution. Consider isolating or sandboxing the tool to limit potential impact.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66219. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart