8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-26543

GHSA ID

GHSA-m744-2jj8-vpfv

EPSS Score

0.88511%

CWE

CWE-74

Published

2/10/2022

Updated

1/27/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-26543

CVE-2021-26543: Command injection in git-parse

The "gitDiff" function in Wayfair git-parse <=1.0.4 has a command injection vulnerability. Clients of the git-parse library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-26543

GHSA ID

GHSA-m744-2jj8-vpfv

EPSS Score

0.88511%

CWE

CWE-74

Published

2/10/2022

Updated

1/27/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
git-parse	npm	< 1.0.5	1.0.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Multiple advisories explicitly name 'gitDiff' as the vulnerable function.
The function's documented behavior (accepting commit hashes and file paths for diff operations) aligns with command injection patterns.
The CWE-74 classification indicates improper neutralization of output used in downstream commands, consistent with shell command injection via string interpolation.
The patch in version 1.0.5 likely added input sanitization or switched to safer command execution methods.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** "*it*i**" *un*tion in W*y**ir *it-p*rs* <=*.*.* **s * *omm*n* inj**tion vuln*r**ility. *li*nts o* t** *it-p*rs* li*r*ry *r* unlik*ly to ** *w*r* o* t*is, so t**y mi**t unwittin*ly writ* *o** t**t *ont*ins * vuln*r**ility.

Reasoning

*. Multipl* **visori*s *xpli*itly n*m* '*it*i**' *s t** vuln*r**l* *un*tion. *. T** *un*tion's *o*um*nt** ****vior (****ptin* *ommit **s**s *n* *il* p*t*s *or *i** op*r*tions) *li*ns wit* *omm*n* inj**tion p*tt*rns. *. T** *W*-** *l*ssi*i**tion in*i*

8.8

Basic Information

Concerned about an active attack path?

CVE-2021-26543: Command injection in git-parse

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI