Miggo Logo

CVE-2022-24376: OS Command Injection in git-promise

7.2

CVSS Score
3.1

Basic Information

EPSS Score
0.91994%
Published
6/11/2022
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
git-promisenpm<= 1.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how user-supplied git commands are processed:

  1. The prior fix (PR #8) attempted to mitigate command injection by switching from shell.exec to execFile with argument splitting
  2. The argument splitting uses split(/\s+/) which fails to account for:
    • Tab characters as argument separators (\t)
    • Shell variable substitution (${IFS})
  3. The package maintainer confirmed the vulnerability through README warnings demonstrating these injection vectors
  4. The execution flow (git() -> parse command -> execFile) remains vulnerable as no additional validation/sanitization was implemented
  5. CWE mappings (77/88) directly correlate to improper command argument neutralization in this function

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ll v*rsions o* p**k*** *it-promis* is vuln*r**l* to *omm*n* Inj**tion *u* to *n in*ppropri*t* *ix o* * prior [vuln*r**ility](*ttps://s**urity.snyk.io/vuln/SNYK-JS-*ITPROMIS*-******) in t*is p**k***. **Not*:** Pl**s* not* t**t t** vuln*r**ility will

Reasoning

T** vuln*r**ility st*ms *rom *ow us*r-suppli** *it *omm*n*s *r* pro**ss**: *. T** prior *ix (PR #*) *tt*mpt** to miti**t* *omm*n* inj**tion *y swit**in* *rom s**ll.*x** to *x***il* wit* *r*um*nt splittin* *. T** *r*um*nt splittin* us*s split(/\s+/) w