CVE-2021-32673: Remote Command Execution in reg-keygen-git-hash-plugin
8.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.81939%
CWE
Published
6/8/2021
Updated
2/1/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
reg-keygen-git-hash-plugin | npm | < 0.10.16 | 0.10.16 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The commit f84ad9c introduced shell-escape to sanitize git command arguments, indicating previous vulnerable command construction patterns. All modified functions used unsanitized template string interpolation (${hash}, ${a}, ${b}) in child_process.execSync
calls, making them susceptible to command injection. The CWE-78 classification confirms improper neutralization of OS command special elements. High confidence comes from the explicit addition of argument escaping in the patch and the vulnerability's CVSS score of 8.8.