Miggo Logo
Miggo Vulnerability Database
CVE-2025-11148

CVE-2025-11148: check-branches is vulnerable to command Injection

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-11148
GHSA ID
GHSA-9c4g-fp4r-prrv
EPSS Score
0.51832%
CWE
CWE-77
Published
9/30/2025
Updated
9/30/2025
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
check-branchesnpm<= 0.0.19

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability exists because the check-branches tool constructs shell commands by concatenating user-controllable input (git branch names) without proper sanitization. The analysis of the source code in src/index.ts reveals that the child_process.exec function is used to run git commands.

The getBranchContributors function takes a branch name as input and directly embeds it into a git log command, making it vulnerable. Similarly, the main check function, which is the primary entry point of the CLI tool, constructs and executes several git commands (git checkout, git merge) using branch names. Since branch names can be crafted by an attacker to contain arbitrary shell commands (e.g., my-branch; rm -rf /), running check-branches in a repository with such a branch will lead to command injection. The proof-of-concept confirms this by creating a branch named ";{echo,hello,world}>/tmp/d" which, when processed by the tool, executes the echo command and redirects the output to a file.

Vulnerable functions

check_branches.getBranchContributors
src/index.ts
The function `getBranchContributors` is vulnerable to command injection because it directly concatenates the `branch` parameter into a shell command that is executed via `exec`. An attacker can create a branch with a malicious name containing shell commands, and when this function is called with that branch name, the commands will be executed on the system.
check_branches.check
src/index.ts
The `check` function is vulnerable to command injection in multiple places. It uses the branch name, which can be controlled by an attacker, to construct and execute shell commands using `exec`. Specifically, it uses the branch name in `git checkout` and `git merge` commands. An attacker can create a branch with a malicious name, and when the `check-branches` tool is run, these commands will be executed, leading to arbitrary command execution.

WAF Protection Rules

WAF Rule

*ll v*rsions o* t** p**k*** ****k-*r*n***s *r* vuln*r**l* to *omm*n* Inj**tion. ****k-*r*n***s is * *omm*n*-lin* tool t**t is int*r**t** wit* lo**lly, or vi* *I, to *on*irm no *on*li*ts *xist in *it *r*n***s. *ow*v*r, t** li*r*ry *ollows t**s* *onv

Reasoning

T** vuln*r**ility *xists ****us* t** `****k-*r*n***s` tool *onstru*ts s**ll *omm*n*s *y *on**t*n*tin* us*r-*ontroll**l* input (*it *r*n** n*m*s) wit*out prop*r s*nitiz*tion. T** *n*lysis o* t** sour** *o** in `sr*/in**x.ts` r*v**ls t**t t** `**il*_pr