Summary:
A critical security flaw—CVE-2022-25648—was found in the git npm package before version 1.11.. This package helps developers run Git commands from Node.js scripts. The main issue: it’s possible for attackers to run any shell command on your server by crafting special arguments, due to the way the package passed remote values straight to the system shell.
Let’s dig into how this happens, see some example code, and talk about ways to stay safe.
What’s the Problem?
The git npm package lets you run Git operations, like git fetch, with JavaScript code. One function looks like:
fetch(remote = 'origin', opts = {})
But here’s the problem: the remote parameter is not sanitized. The code that runs git fetch simply drops the value you pass as-is into the shell command. That means if you give it something *sneaky* like origin; rm -rf /, it could run both git fetch originandrm -rf / (or whatever destructive code an attacker wrote!).
Example Exploit
Let’s see how an attacker could use this in a real project.
Suppose you trust user input for the remote name
const git = require('git');
function fetchUserRepo(remoteName) {
git.fetch(remoteName, {}, function(err, result) {
if (err) throw err;
console.log('Fetched:', result);
});
}
// User supplies 'origin; touch /tmp/hacked'
fetchUserRepo("origin; touch /tmp/hacked");
Result:
The system receives this command:
git fetch origin; touch /tmp/hacked
- This will create a file called /tmp/hackedor run any other shell code.
That’s command injection—an attacker can run ANY code, not just git commands.
Why Does This Happen?
Here’s a simplified view of the source code before the fix (original vulnerable code on GitHub):
exports.fetch = function(remote, options, callback) {
var command = 'git fetch ' + remote;
child_process.exec(command, callback);
};
Instead of providing the remote as a list of arguments, the command just sticks it directly into the shell command string. This lets any special shell character (;, &&, |, etc.) within remote take over the shell!
Links and References
- NPM Advisory - CVE-2022-25648
- GitHub Security Advisory
- Snyk vulnerability database
- Original vulnerable code
How Can Attackers Abuse This?
- Remote code execution (RCE): Attackers could run any shell command with the same privileges as your app.
- System compromise: Removal or modification of files, data exfiltration, or even backdoor installation.
How to Fix It?
Update!
Any project using the git npm package must upgrade to at least 1.11., where this bug is fixed.
Here’s how you update
npm install git@latest
# or, to be specific
npm install git@1.11.
Do not trust user-supplied values for command-line arguments—sanitize, validate, or (best) use parameterized APIs that do NOT invoke a shell.
The fix switched from string concatenation to using argument arrays, like this (simplified)
child_process.spawn('git', ['fetch', remote], { ... });
This method runs the command directly instead of inside sh, so shell metacharacters are NOT interpreted.
Conclusion
CVE-2022-25648 is a classic example of what goes wrong with unsafe command execution in code—not validating input and passing unchecked values into system shells is always dangerous.
Stay secure—don’t let a small oversight become a big breach!
*This post is exclusive and original content for your reading—share or reference as you need, but always patch your code!*
Timeline
Published on: 04/19/2022 17:15:00 UTC
Last modified on: 06/02/2022 14:15:00 UTC