CVE-2026-11572
Deferred Deferred - Pending Action

Command Injection in degit Package

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: Snyk

Description
Versions of the package degit before 2.8.6, from 3.0.0 and before 3.3.1 are vulnerable to Command Injection due to improper sanitisation of user input for git shell commands directly invoked with exec() method by _cloneWithGit() and fetchRefs() functions. An attacker can execute arbitrary operating system commands as the process user by supplying a specially crafted git repository name.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-29
AI Q&A
2026-06-09
EPSS Evaluated
2026-06-28
NVD
CVE-2026-11572
EUVD
EUVD-2026-35349

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
rich_harris degit to 3.3.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-11572 is a command injection vulnerability in the degit package versions before 2.8.6 and between 3.0.0 and 3.3.1. The vulnerability arises because degit improperly sanitizes user input when constructing git shell commands executed via the exec() method in the _cloneWithGit() and fetchRefs() functions.

An attacker can supply a specially crafted git repository name that includes shell metacharacters, allowing them to execute arbitrary operating system commands with the privileges of the process user. This happens because the input validation only blocks forward slashes and whitespace but allows other shell metacharacters, and exec() invokes a shell that evaluates these characters.

The root causes include insufficient input validation by the parse() function, unsafe use of exec() instead of safer alternatives like execFile(), and unsanitized user input in fetchRefs().

Impact Analysis

This vulnerability allows an attacker to execute arbitrary operating system commands on the affected system with the same privileges as the degit process user.

  • Remote code execution can lead to unauthorized access, data theft, or system compromise.
  • It can be exploited over the network without requiring special privileges, though some user interaction may be needed.
  • Common exploitation scenarios include injection attacks in CI/CD pipelines, web-based project scaffolding tools, or developer machines using malicious packages.
  • Successful exploitation can disrupt development workflows, compromise sensitive data, or allow attackers to pivot within a network.
Detection Guidance

This vulnerability can be detected by monitoring for unusual or suspicious execution of shell commands originating from degit processes, especially those involving git repository names that contain shell metacharacters or command substitution syntax.

Since the vulnerability involves command injection via the exec() method, one way to detect exploitation attempts is to look for degit commands or processes invoking shell commands with unexpected arguments.

Suggested commands to detect potential exploitation attempts include:

  • Using process monitoring tools (e.g., ps, top) to identify degit processes running with suspicious parameters.
  • Using auditd or similar Linux auditing tools to log execve system calls from degit binaries.
  • Searching shell history or logs for degit commands containing shell metacharacters such as `$()`, `${}`, or other suspicious patterns.
  • Example command to find degit processes: `ps aux | grep degit`
  • Example command to search for suspicious patterns in logs: `grep -E '\$\(|\$\{|;|&&' /var/log/*`
Mitigation Strategies

The primary and immediate mitigation step is to upgrade the degit package to a fixed version.

  • Upgrade degit to version 2.8.6 or later if using the 2.x series.
  • If using the 3.x series, upgrade to version 3.3.1 or later.

These versions include fixes that properly sanitize user input and replace unsafe exec() calls with safer alternatives, preventing command injection.

Additionally, avoid using degit with untrusted input, especially in automated environments like CI/CD pipelines or scaffolding tools.

Compliance Impact

The vulnerability allows an attacker to execute arbitrary operating system commands by supplying a specially crafted git repository name. This can lead to unauthorized access, data breaches, or system compromise.

Such unauthorized command execution and potential data exposure can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and secure system operations.

Specifically, exploitation in environments such as CI/CD pipelines or developer machines could lead to leakage or manipulation of personal or protected health information, violating confidentiality and integrity requirements mandated by these regulations.

Mitigation by upgrading to fixed versions reduces the risk and helps maintain compliance by preventing exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11572. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart