CVE-2026-11572
8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
Summary
Versions of the package degit before 2.8.6, from 3.0.0 and before 3.3.1 are vulnerable to Command Injection due to improper sanitisation of user input for git shell commands directly invoked with exec() method by _cloneWithGit() and fetchRefs() functions. An attacker can execute arbitrary operating system commands as the process user by supplying a specially crafted git repository name.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | degit | 0 < 2.8.6 | affected |
| n/a | degit | 3.0.0 < 3.3.1 | affected |
Weaknesses
- CWE-78: Command Injection
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
Additional References
References
- https://security.snyk.io/vuln/SNYK-JS-DEGIT-17116207
- https://gist.github.com/badp3te/cf22a939eedbd3d8ade9123827d61639
- https://github.com/Rich-Harris/degit/commit/d55bfd7cea79c0b387f69ec8477b6c34abf9f226
- https://github.com/Rich-Harris/degit/commit/4ac99e4a4c3f53ca3b5c997bcd7542742ad0c443
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.