N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-66219

CVE-2025-66219: willitmerge has a Command Injection vulnerability

willitmerge describes itself as a command line tool to check if pull requests are mergeable. There is a Command Injection vulnerability in version willitmerge@0.2.1.

Resources:

Project's GitHub source code: https://github.com/shama/willitmerge/
Project's npm package: https://www.npmjs.com/package/willitmerge

Background on exploitation

Reporting a Command Injection vulnerability in willitmerge npm package.

A security vulnerability manifests in this package due to the use of insecure child process execution API (exec) to which it concateanes user input, whether provided to the command-line flag, or is in user control in the target repository.

Exploit

POC 1

Install willitmerge
Run it with the following command

willitmerge --verbose --remote "https://github.com/lirantal/npq.git; touch /tmp/hel"

Confirm the file /tmp/hel is created on disk

GitHub-sourced attack vector

Lines 189-197 in lib/willitmerge.js pass user input controlled by repository collaborators into the git command:

  var cmds = [
    'git checkout -b ' + branch + ' ' + that.options.remote + '/' + iss.base.ref,
    'git remote add ' + branch + ' ' + gitUrl,
    'git pull ' + branch + ' ' + iss.head.ref,
    'git reset --merge HEAD',
    'git checkout ' + origBranch,
    'git branch -D ' + branch,
    'git remote rm ' + branch
  ];

Users creating malicious branch names such as ;{echo,hello,world}>/tmp/c

This is a similar attack vector to that which was reported for the [pullit vulnerability (https://security.snyk.io/vuln/npm:pullit:20180214)

Author

Liran Tal

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-66219

CVE-2025-66219:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
willitmerge	npm	<= 0.2.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists because the willitmerge package unsafely constructs shell commands using user-controllable input and executes them via child_process.exec. The analysis of lib/willitmerge.js reveals two primary attack vectors.

First, the willitmerge.findRemote function takes the --remote command-line argument and directly concatenates it into a git remote show -n command. As demonstrated in the proof-of-concept, an attacker can inject arbitrary commands by appending them to the remote URL, separated by a semicolon.

Second, the willitmerge.testIssue function constructs several git commands using metadata from a GitHub pull request, such as branch names (iss.base.ref, iss.head.ref). An attacker can create a pull request with a maliciously crafted branch name containing shell commands. When willitmerge processes this pull request, the commands are executed on the host system.

In both cases, the commands are executed by the execSeries helper function, which is a simple wrapper around the insecure exec function. Therefore, willitmerge.findRemote, willitmerge.testIssue, and execSeries are the key functions that would appear in a runtime profile during exploitation.

Vulnerable functions

willitmerge.findRemote

lib/willitmerge.js

The function `willitmerge.findRemote` is vulnerable to command injection because it uses the `exec` function to run a `git remote show -n` command with user-provided input from the `--remote` option. An attacker can provide a malicious string like `\"myremote; touch /tmp/pwned\"` to execute arbitrary commands on the system.

willitmerge.testIssue

lib/willitmerge.js

The function `willitmerge.testIssue` is vulnerable to command injection because it constructs git commands using data from a pull request (`iss.base.ref`, `iss.head.ref`, `gitUrl`) without proper sanitization. An attacker can create a pull request with a malicious branch name (e.g., `my-branch;id`) to execute arbitrary commands when the tool processes the pull request.

execSeries

lib/willitmerge.js

The `execSeries` function acts as a wrapper around `child_process.exec`. It receives and executes command strings from other functions like `willitmerge.testIssue`. Since it directly passes these commands to `exec`, it is the function where the command injection is ultimately triggered. Any call to this function with unsanitized input is a potential security risk.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-66219: willitmerge has a Command Injection vulnerability

Background on exploitation

Exploit

POC 1

GitHub-sourced attack vector

Author

CVE-2025-66219:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

N/A

N/A

CVE-2025-66219: willitmerge has a Command Injection vulnerability

Background on exploitation

Exploit

POC 1

GitHub-sourced attack vector

Author

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI