Update Your Git Commit Tool Now – Critical Vulnerability Found in Popular Git Commit Info Package

CVECVE-2023-26134
CVSScvssV3_1: 9.8
SourceCVE-2023-26134

The popular Node.js package git-commit-info, which is used to parse commit messages from Git repositories, has been found to have a severe command injection vulnerability.

The package fails to properly sanitize user-provided commit hashes before using them in shell commands. This could allow an attacker to inject arbitrary commands that would be executed with the privileges of the application using the package.

Command injection vulnerabilities can be extremely dangerous as it allows an attacker to fully compromise the application and in some cases even the underlying server. With access to the application’s privileges, an attacker could steal data, install malware, or perform other malicious actions.

The git-commit-info package is used by many build tools, CI/CD pipelines and other DevOps automation scripts to parse Git commit messages. As such, the vulnerability poses a risk to many Node.js applications and servers.

Users of the git-commit-info package are urged to immediately upgrade to version 2.0.2 or above, as it fixes the command injection flaw. Application owners should also review any usage of external packages and ensure proper input validation is performed before passing data to shell commands or other execution APIs.

Staying on top of security updates is critical, so configure your projects to automatically receive new versions of all dependencies. And be mindful of the privileges granted to automation scripts as they could be leveraged in attacks like this one if a vulnerability is exploited.

References