← back
CVE-2025-59831

`git-comiters` Command Injection vulnerability

CVSS 8.7 HIGHEPSS 2.3%CWE-77CWE-78
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 8.7EPSS 2.3%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
25 Sep 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
git-commiters is a Node.js function module providing committers stats for their git repository. Prior to version 0.1.2, there is a command injection vulnerability in git-commiters. This vulnerability manifests with the library's primary exported API: gitCommiters(options, callback) which allows specifying options such as cwd for current working directory and revisionRange as a revision pointer, such as HEAD. However, the library does not sanitize for user input or practice secure process execution API to separate commands from their arguments and as such, uncontrolled user input is concatenated into command execution. This issue has been patched in version 0.1.2.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →