CVE-2018-3785: Command Injection in git-dummy-commit
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.87234%
CWE
Published
8/21/2018
Updated
2/3/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
git-dummy-commit | npm | <= 1.3.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper neutralization of parameters used in OS commands (CWE-78). Given the package's purpose of creating git commits, the core function that builds and executes git commands would handle user-provided commit messages. Without proper input sanitization or use of safe execution methods (like execFile
with separate arguments), passing unsanitized input to child_process.exec
would make command injection possible. The description explicitly mentions 'unescaped parameter' as the root cause, strongly indicating insecure command construction in the commit creation function.