CVE-2021-3190
CRITICALasync-git < 1.13.2 - OS Command Injection via Shell Metacharacters
Title source: llmDescription
The async-git package before 1.13.2 for Node.js allows OS Command Injection via shell metacharacters, as demonstrated by git.reset and git.tag.
References (5)
Core 5
Core References
Third Party Advisory x_refsource_misc
https://github.com/omrilotan/async-git/pull/13
Patch, Third Party Advisory x_refsource_misc
https://github.com/omrilotan/async-git/pull/13/commits/a5f45f58941006c4cc1699609383b533d9b92c6a
Patch, Third Party Advisory x_refsource_misc
https://github.com/omrilotan/async-git/pull/13/commits/611823bd97dd41e9e8127c38066868ff9dcfa57a
Patch, Third Party Advisory x_refsource_confirm
https://github.com/omrilotan/async-git/pull/14
Exploit, Third Party Advisory x_refsource_misc
https://advisory.checkmarx.net/advisory/CX-2021-4772
Scores
CVSS v3
9.8
EPSS
0.0532
EPSS Percentile
91.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-78
Status
published
Products (2)
async-git_project/async-git
< 1.13.2
npm/async-git
0 - 1.13.2npm
Published
Jan 26, 2021
Tracked Since
Feb 18, 2026