CVE-2019-5485

CRITICAL

gitlabhook 0.0.17 - OS Command Injection via Repository Name

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-5485. PoCs published by Semen Alexandrovich Lyhin.

AI-analyzed exploit summary This exploit leverages a command injection vulnerability in the 'gitlabhook' npm package (version 0.0.17) by injecting arbitrary commands into the 'repository' field of a JSON payload. The payload is sent via a POST request to the target server, resulting in remote code execution.

Description

NPM package gitlabhook version 0.0.17 is vulnerable to a Command Injection vulnerability. Arbitrary commands can be injected through the repository name.

Exploits (1)

exploitdb WORKING POC
by Semen Alexandrovich Lyhin · textwebappsjson
https://www.exploit-db.com/exploits/47420

This exploit leverages a command injection vulnerability in the 'gitlabhook' npm package (version 0.0.17) by injecting arbitrary commands into the 'repository' field of a JSON payload. The payload is sent via a POST request to the target server, resulting in remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: gitlabhook npm package 0.0.17
No auth needed
Prerequisites: Target server running gitlabhook 0.0.17 · Network access to the target server
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/685447

Scores

CVSS v3 10.0
EPSS 0.4963
EPSS Percentile 97.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Details

CWE
CWE-78
Status published
Products (2)
gitlabhook_project/gitlabhook 0.0.17
npm/gitlabhook 0npm
Published Sep 13, 2019
Tracked Since Feb 18, 2026