Miggo Logo
Miggo Vulnerability Database
CVE-2019-10776

CVE-2019-10776:
OS command injection in git-diff-apply

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-10776
GHSA ID
GHSA-84cm-v6jp-gjmr
EPSS Score
0.41999%
CWE
CWE-78
Published
2/14/2020
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
git-diff-applynpm<= 0.22.10.22.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability occurs at line 240 (original line 225 in pre-patch code) where utils.run() executes a template string containing user-controlled remoteUrl. The commit 106d61d fixes this by switching to runWithSpawn with argument array formatting, confirming the original code used unsafe shell command construction. The main exported function in index.js is responsible for handling the git operations and contains the vulnerable command execution path.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In "in**x.js" *il* lin* ***, t** run *omm*n* *x**ut*s t** *it *omm*n* wit* * us*r *ontroll** v*ri**l* **ll** r*mot*Url. T*is *****ts *it-*i**-*pply *ll v*rsions prior to *.**.*.

Reasoning

T** vuln*r**ility o**urs *t lin* *** (ori*in*l lin* *** in pr*-p*t** *o**) w**r* `utils.run()` *x**ut*s * t*mpl*t* strin* *ont*inin* us*r-*ontroll** `r*mot*Url`. T** *ommit ******* *ix*s t*is *y swit**in* to `runWit*Sp*wn` wit* *r*um*nt *rr*y *orm*tt