CVE-2024-21531: git-shallow-clone Argument Injection vulnerability
5.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.40504%
CWE
Published
10/1/2024
Updated
11/7/2024
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| git-shallow-clone | npm | <= 0.0.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from line 27 in index.js where user-controlled parameters are directly used in spawned git commands. The function fails to sanitize clonePath argument which gets pushed to args array (line 27) and executed via spawn('git', args). This allows attackers to inject git flags like --upload-pack through the clonePath parameter, as demonstrated in Snyk's PoC. The combination of direct user input usage in process spawning and lack of argument sanitization matches CWE-88's pattern of argument injection vulnerabilities.